^  o  9  b  ii  0  V  otf .  aiia 


AFWAL  -TR  -  80  - 2063 


RELIABILITY  ADVANCEMENT  FOR 
ELECTRONIC  ENGINE  CONTROLLERS 

k/olume  I:  Final  Report 


HAMILTON  STANDARD 

DIVISION  OF  UNITED  TECHNOLOGIES  CORPORATION 
WINDSOR  LOCKS,  CONNECTICUT  06096 


JUNE  1980 


TECHNICAL  REPORT  AFWAL -TR  -80  -  2063 

FINAL  REPORT  FOR  PERIOD  AUGUST  1977  TO  APRIL  1980 


APPROVED  FOR  PUBLIC  RELEASE;  DISTRIBUTION  UNLIMITED 


AERO  PROPULSION  LABORATORY 

AIR  FORCE  WRIGHT  AERONAUTICAL  LABORATORIES 

AIR  FORCE  SYSTEMS  COMMAND 

WRIGHT-PATTERSON  AIR  FORCE  BASE.  OHIO  45433 


Best 

Available 

Copy 


I 


When  Government  drawings,  specifications,  or  other  data  are  used  for  any  pur¬ 
pose  other  than  in  connection  with  a  definitely  related  Government  procurement 
operation,  the  United  States  Government  thereby  incurs  no  responsibility  nor  any 
obligation  whatsoever;  and  the  fact  that  the  government  may  have  formulated, 
furnished,  or  in  any  way  supplied  the  said  drawings,  specifications,  or  other 
data,  is  not  to  be  regarded  by  implication  or  otherwise  as  in  any  manner  licens¬ 
ing  the  holder  or  any  other  person  or  corporation,  or  conveying  any  rights  or 
permission  to  manufacture  use,  or  sell  any  patented  invention  that  may  in  any 
way  be  related  thereto. 

This  report  has  been  reviewed  by  the  Office  of  Public  Affairs  (ASD/PA)  and  is 
releasable  to  the  National  Technical  Information  Service  (NTIS),  At  NTIS,  it 
will  be  available  to  the  general  public,  including  foreign  nations. 

This  technical  report  has  been  reviewed  and  is  approved  for  publication. 


CHARLES  E.  RYAJT/JR. 
PROJECT  ENGINEER 


DAVID  H.  QUICK.^T  COL,  USAF 
CHIEF,  COMPONENTS  BRANCH 
TURBINE  ENGINE  DIVISION 
AERO  PROPULSION  LABORATORY 


FOR  THE  COMirANDER 


CHARLES  E .  BENTE 
ACTING  DEPUTY  DIRECTOR 
TURBINE  ENGINE  DIVISION 
AERO  PROPULSION  LABORATORY 


"If  your  address  has  changed,  if  you  wish  to  be  removed  from  our  mailing  list, 
or  i,  the  addressee  is  no  longt?r  employe!  by  your  organization  please  notify 
AFWAL/POTC  ,  W-PAFB,  OH  45433  to  help  us  maintain  a  current  mail- 

i'ng  list". 


Copies  of  this  report  should  not  be  returned  unless  return  i;,  required  by 
security  considerations,  contractual  obligations,  or  notice  on  a  specific  docu 
ment . 


AJH  f^ORCE/56780/15  M»rch  1981  -  100 


!  !'! !  REPORT  DOCUMENTATION  PAGE 


REPCM^T  JKIMBF.R 


READ  INS*|'RUCT10NS 

bmforf:  completing  form 


GOVT  ACCESSION  SO.  3  RECii’iEnT'S  CATALOG  NUMBER 


AFWALHTR-80-?d63^\^ol_l-  i 


\  h  9  3 


Ml  ^ 


.  RELIABILITY  ADVANCEMENT  FOR  ELECTRONIC  ENGINE  i^J/Final  ' 

CONTROLLERS,'  w,  .  r  -  1  Au3t^t-_ti7.7.r*. Apr 

_ _  ~  -'no ‘VhSER-  7667:-^ _ 

T.  AyTMORfJj  8.  CONTRACT  OR  GRAnT  NUMBERr*) 

C.  Rabinowitz  K.  'Walworth  j  J,  Vernon 

R.  Gtterberg  ■  P.  tote  '  '  (F336I6-77-C-2055 

K.  'Boucher  !  M.  "McGlone  (P&W'A) 


CONJURED 


CONTRACT  OR  GRAnT  NUMBERr*) 


1F336I6-77-C-2055 


B. 'PCRFOmRtNVORQANlZATiON  NAME  AnO  ADDRESS 

Hamilton  Standard  Division 

United  Technologies  Corporation 

Windsor  Locks,  Connecticut  06096  _ 


n  CONTROLLING  OFPICE  NAME  AnC  address  '2  REPORT  DATE 

huro  Propulsion  Laboratory  ulune  19SQ _ 

AF  '.'.'right  Aeronaii  t  i  ca  1  Laboratories,  AfSC  /  n  ^number  of  pages  ,  y 

WriahL-Patterson  Air  Force__Basis  (Thin _ _ I _ 516 _ 1 _ _ 


14  MONITORING  *GEnCy  NAME  AOORESSfl/  dj//er#fiJ  Iffun  ConiroUIng  Oif.'ce}  'S.  SECuRlTV  CLASS-  (of  this  rotjorf) 

Unclassified 

r..^^  ISa  OeCU  ASSiFic'ATrON.  OOWNC^AOrNO” 

odine  SCHEDULE 


'fi.  OlSTRiSifTirs  ST  ATr.^r.^T  R0r'>fl‘ 


Approved  for  public  release;  distribution  unlimited. 


17.  Distribution  ST  ATEmEn  t  (of  the  •b$tfci  tnl^rod  In  Block  2C.  n  dlllotoni  Itnm  Ropon) 


19  KEY  WORDS  (Contlnuo  on  ttd*  it  n«c*»«*fv  «ftc/  idenHly  by  block  nurrbor} 


•Elc'ctronic  Engine  Controller 
•Re  liability 
•Redundancy  I'ianagement 
^Accelerated  Stress  Test 


20  ^^^STR ACT  nnlinue  ‘in  revBfff*  »ido  It  nccf*»9ory  on-J  identify  hv  b/.i' >  'iunrh^r,' 

This  study  presents  a  comprehensive  approach  to  the  development  of  full- 
authority  electronic  en-jine  controls  which  are  capable  of  meeting  the  high 
reliability  levels  rcu'iuired  of  aircraft  turbine  engine  controls. 

The  primary  yroondrules  and  assumptions  are  defined,  including  the  Variable 
Cycle  engine,  its  control  requirements, and  service  environment.  A  preliminary 
design  is  developed,  beginning  with  a  system  description  and  reliability  evalu¬ 
ation  of  a  baseline  system,  including  implemcnlatinn  of  redunda..uy,  back-up  _ 


20.  ABSTRACT 


control  provisions,  and  seif-test. 

Through  detailed  system  analyses  and  electrical  and  mechanical  trade  studies, 
a  final  preliminary  design  is  derived.  (Other  topics  covered  include  compon¬ 
ent  baselines  for  reliability  and  cost  studies,  a  discussion  of  reliability 
technology  information  exchanges  with  consulting  organizations,  a  detailed  de¬ 
scription  of  reliability  improvement  measures  including  various  levels  of 
device  screening  and  testing,  and  a  Cost  of  Ownership  Study.) 

Through  the  effective  use  of  measures  such  as  fault  tolerant  coverage  and 
selective  duplex/triplex  redundancy,  the  final  RAEEC  system  developed  can 
approach  high  flight  safety  levels  and  the  goal  for  maintenance  MBTF  of  25,000 
hours. 


security  Cl  ASSi  ^  IC  ATiOKi  or  this  P  Vatm  KnJ»r#c/) 


FOREWORD 


This  study  was  initiated  to  establish  a  comprehensive  approach  to  the  develop¬ 
ment  of  a  high  reliability,  full-authority  electronic  engine  control.  The 
program  was  conducted  by  Hamilton  Standard  Division  of  United  Technologies 
Corporation  under  the  sponsorship  of  the  Aero  Propulsion  Laboratory,  Turbine 
Engine  Division,  Wright-Patterson  Air  Force  Base,  Ohio  (Air  Force  Contract  No. 
F33615-77-C-2055,  Project  No.  3066,  Task  No.  306603,  Work  Unit  No.  3066  03  75. 
Sincere  thanks  are  due  the  Project  Officer,  Charles  E.  Ryan,  Jr.,  AFWAL/POTC  for 
his  direction,  guidance,  and  encouragement  during  the  course  of  this  program. 

Mr.  Ryan  established  a  team  of  advanced  technology  advisors  to  add  their  consid¬ 
erable  experience  to  appropriate  parts  of  this  effort.  Hamilton  Standard 
Division  also  expresses  its  sincere  appreciation  to  these  organizations  and 
individuals  listed  below  for  their  invaluable  contributions: 

Bell  Telephone  Laboratories 

Conrad  H.  Fierdt  Jr. 

D.  Stewart  Peck 
Irwin  Schmidt 

Delco  Electronics  Division,  General  Motors  Corporation 


Kenneth  W.  Doversberger 
R.  M.  Siefken 
W.  Brown 

Rome  Air  Development  Center 

Joseph  B.  Brauer 
Clyde  Lane 

AFWAL  Avionics  Laboratory 

Captain  Roger  E.  Little 
Captain  Lawrence  C.  Hollatz 


L,S.  Army  Electronics  Command 


U.S.  Army  Material  Systems  Analysis  Activity 


SECTION 


PAGE 


I  INTRODUCTION  ' 

1.1  Background  of  Program  1 

1 .2  Purpose  and  Goals  1 

1.3  Method  of  Investigation  1 

II  definition  of  variable  cycle  engine  (VCE)  10 


2.1 

Engine  Cycle  Definition 

2.2 

Duct  and  Core  Stream  Augmentation 

2  3 

Engine  Ratings 

2.4 

Operational  Limits 

2.4.1 

Basic  Control  Modes 

2.4.2 

Augmentation  Control  Mode 

10 

12 

13 

lA 

15 

17 


III  CONTROLLER  PRELIMINARY  DESIGN 


19 


3.1 

Introduction 

3.2 

System  Description 

3.2.1 

RAEEC  Baseline  System 

3.2.2 

Backup  Control  Provisions,  Self  Test  ai 
Diagnostic  System 

3.2.3 

Self  Test 

3.2.4 

RAEEC  Final  System 

3.3 

System  Reliability  Evaluation 

3.3.1 

Concepts 

3.3.2 

Baseline  System 

3.3.3 

Reliability  Groundrules 

3.3.4 

RAEEC  Final  System 

3.3.5 

System  Coverage 

3.3.6 

Final  System  Flight  Safety  Probability 

3.4 

Electrical  Design 

3.4.1 

Introduction 

3.4.2 

Analog-to-Digital  Converter 

3.4.3 

Resol ver-to-Digital  Converter 

3.4.4 

Resolver  Excitation 

3.4.5 

Torque  Motor  D/A's  and  Drivers 

3.4.6 

Solenoid  Drivers 

3.4.7 

Pressure  Sensors  and  Circuitry 

3.4.8 

Low  Level  DC  Interface 

3.4.9 

Resolver  Multiplexer 

3.4.10 

Discrete  Signal  Conditioner  Circuit 

19 

19 

19 

28 

31 

35 

48 

48 

50 

53 

54 
61 
72 
77 

**  “J 
/  / 

77 

77 

80 

82 

83 

83 

39 

89 

89 


V 


TABLE  OF  CONTEtiTS  (Continued) 


SECTION 

3.4.  n 

3.4.12 

3.4.13 

3.4.14 

3.4.15 

3.4.16 
3.5 

3.5.1 

3.6.2 

3.5.3 

3.5.4 

3.5.5 

IV 

4.1 

4.1.1 

4.1.2 

4.1.3 

4.1.4 
4.2 

4.2.1 

4.2.2 

4.2.3 

4.2.4 
4.3 

4.3.1 

4.3.2 

4.3.3 

4.4. 

4.4.1 

4.4.2 

4.4.3 

4.4.4 

4.5 

V 


5.1 

5.2 

5.3 


Frequency  to  Digital  Spe^d  Interfaces 

Turbo  Pump  Speed  Interface 

Fault  Detection  Logic 

Power  Supply  System 

CPU  Design 

Low  Voltage  Circuit  Derating 

Mechanical  Design 

General 

Configuration  and  Installation 
Physical  Description 
Haintainabi  1  i ty 
Environmental  Design 


PAGE 

89 

94 

94 

94 

100 

121 

126 

126 

127 

129 

139 

140 


CONTROLLER  ENVIRONMENT 


15S 


Variable  Cycle  Engine  Simulation  15, q 
Aircraft  and  Engine  Selection  ig.o 
Mission  Profile  Selection  igg 
Flight  Envelope  Definition  150 
Simulation  Methodology  150 
Thermal  Environment  155 
Thermal  Environment  Definition  155 
Cooling  Methods  155 
Moisture  173 
Fuel  and  Oil  Resistance  175 
Vibration,  Acoustic,  and  Impact  Environment  170 
Vibration  Environment  Definition  17P 
Acoustic  Environment  Definition  103 
Impact  Environment  Definition  103 
Electrical  Environment  Definition  105 
Summary  lg5 
General  Igg 
Lightning  Environment  Igo 
Electromagnetic  Interference  (EMI)  Environment  igc 
Conclusions  igg 


COMPONENT  BASELINES  FOR  RELIABILITY  AND  COST  OF  201 

OWNERSHIP  STUDIES 


Baseline  System  Description,  Functional  201 
Baseline  System  Description,  Mechanical  203 
Part  Duality  Levels  205 


TABLE  CF  CONTENTS  (Continued) 


SECTION 


VI  RELIABILITY  TECHNOLOGY  TRANSFER  206 

VII  RELIABILITY  IMPROVEMENT  MEASURES  207 

7.1  General  207 

7.2  Thermal  Environment  207 

7.3  Redundancy  208 

7.4  Vibration  Environment  208 

7.5  Interconnection  Technology  209 

7.6  Component  Technology  209 

7.7  Advanced  Component  Derating  210 

7.8  Component  Screens  2II 

7.9  Module  Assembly  Test  and  Screens  211 

7.10  End  Item  Assembly  Level  Screening  and  Tests  212 

7.11  Summary  212 

VIII  tests  to  ENHANCE  RELIABILITY  GROWTH  215 

8.1  Introduction  215 

8.2  Piece  Part  Screening  217 

8.2.1  Integrated  Circuits  217 

8.2.2  Discrete  Semiconductors  222 

8.2.3  Tantalum  Capacitors  224 

8.2.4  Multilayer  Epoxy  or  Polyimide  Printed  Circuit  229 

Boards 

8.3  Subassembly  Level  (Module)  Screening  231 

8.3.1  Preproduction  233 

5.3.2  Production  236 

8.4  Final  Assembly  Level  Screening  236 

8.5  Reliability  Development  Testing  247 

8.6  Reliability  Growth  Modeling  252 

8.6.1  Generalized  Statistical  Analysis  252 

3.6.2  Early  Reliability  Growth  Evaluation  267 

IX  ACCELERATED  STRESS  TESTING  270 

9.1  Introduction  270 

9.2  Test  Program  271 

9.2.1  Facility  Evaluation  271 

9.2.2  Initial  Inspections  and  Tests  273 

9.2.3  Bias  Circuit  Evaluation  273 

9.2.4  High  Temperature  Accelerated  Life  Tests  274 

9.3  Conclusion  and  Results  277 


TABLE  OF  CONTENTS  (Continued) 


SECTION 

PAGE 

X 

COST  OF  OWNERSHIP  STUDY  FOR  RELIABILITY  ADVANCE¬ 

280 

MENT  OF  ENGINE  ELECTRONIC  CONTROLLERS 

10.1 

Introduction 

280 

10.2 

Objective 

280 

10.3 

Summary 

280 

10.4 

Approach 

2S1 

O  Cl  1 

10.4.1 

Ground  Rules 

281 

10.4.2 

System  Configurations 

282 

0  0/5 

10.4.3 

Major  Cost  Elements 

COH 

10.5 

Resu 1  is 

209 

10.6 

Conclusion 

301 

XI 

DEVELOPMENT  GUIDE 

302 

XII 

CONCLUSIONS 

303 

XI 11 

REC0M.1ENDATI0NS 

305 

A 

A 

ELECTRICAL  DESIGN:  BASELINE  and 

307 

TRADE  STUDIES 

APPENDIX 

B 

MECHANICAL  DESIGN  TRADE  STUDIES 

435 

APPENDIX 

C 

TECHNOLOGY  TRANSFER  VISIT  TO  ROME  AIR 

449 

DEVELOPMENT  CENTER 

APPENDIX 

D 

VIBRATION  AND  TEMPERATURE  TRADEOFF  STUDY 

457 

APPENDIX 

E 

PARAMETRIC  AND  FUNCTIONAL  DEVICE  TESTING 

469 

APPENDIX 

F 

CONSTRUCTION  EVALUATION  FOR  ACCELERATED  LIFE 

475 

TESTS 

APPENDIX 

G 

COSl  BENEFITS  OF  SELF-TRIM  CONTROL  MODES 

479 

REFERENCES 

485 

FIGURt 


PAGE 


SECTION  I 

1  PROGRAM  FLOW  CHART  RAF.EC 

2  RAEEC  CONTROLLER  EVOLUTION 

3  ELECTRONICS  SUPERVISORY  CONTROL 

4  ADVANCED  TACTICAL  FIGHTER  MISSION  PROFILE  7 

(BATTLEFIELD  INTERDICTION  MISSION) 

5  ADVANCED  TACTICAL  FIGHTER  MISSION  PROFILE  (DEEP  8 

STRIKE  MISSION) 

SECTION  II 


6 

VARIABLE  CYCLE  ENG  I' 

11 

7 

SIMPLIFIED  BLOCK  CT  JONTROL  MODE 

16 

6 

SECTION  III 

VARIABLE  CYCLE  ENGInF  ^OL  MODE-DUCT  STREAM 

AUGMENTOR  CONTROL  Bl  .  AGRAM 

18 

9 

RAEFC  BASELINE  SYSTEM  SIMPLIFIED  BLOCK  DIAGRAM 

20 

10 

FAILURE  MODE  SYNTHESIZATIOi)  CURVES 

29 

11 

RAEEC  FINAL  SYSTEM  SIMPLIFIED  BLOCK  DIAGRAM 

37 

12 

PRESSURE  SENSOR  TRANSDUCER  WITH  DUAL  ELECTRONICS 

47 

13 

BASELINE  SYSTEM  RELIABILITY  BLOCK  DIAGRAM 

51 

14 

RELIABILITY  BLOCK  DIAGRAM  -  FINAL  SYSTEM 

62 

15 

FLIGHT  SAFETY  RELIABILITY  BLOCK  DIAGRAM 

73 

16 

SAFETY  MODEL  RELIABILITY  GRAPH 

74 

17 

multi  -  PAMP  A/D  CONVERTER 

/O 

18 

RESOLVER  TO  DIGITAL  CONVERTER 

79 

19 

RESOLVER  EXCITATION 

81 

20 

TORQUE  MOTOR  DRIVER 

84 

21 

SOLENOID  DRIVER 

S5 

22 

SECTION  VIEW  OF  PRESSURE  SENSOR 

86 

23 

SENSOR  CIRCUIT  BLOCK  DIAGRAM 

r\ 

QO 

24 

LOW  LEVEL  INTERFACE 

90 

25 

RESOLVER  MULTIPLEXER 

91 

26 

DISCRETE  SIGNAL  CONDITIONER 

92 

27 

SPEED  INTERFACE 

93 

28 

TURBINE  PUMP  SPEED  INTERFACt 

95 

29 

FAULT  DISCRETES 

96 

30 

POWER  SUPPLY  BLOCK  DIAGRAM 

97 

31 

A/C  INTERFACE,  POWER  SUPPLY  SYSTEM 

98 

32 

RAEEC  DISTRIBUTIVE  PROCESSING 

101 

33 

TriREE-CHIP  HS  16/24  MACHINE 

104 

cr.  CO  ro 


LIST  UL  iLLMS’RAi IONS 


(Continued ) 


FIGOPE 

PAGE 

34 

RAElC  CPU  BLOCK  OIAORAK  (FOR  A  PARALLEL  KULTIl’LE 
INSTROCTlur.  multiple  data  MACHINE  ARCHITECTURE) 

106 

35 

1024  WORE;  RAM 

109 

36 

I/O  ADDRESSING 

112 

37 

PI'Al  port  ram  "IMMEDIATE  TRANSFER" 

116 

38 

‘■ULE  'APABILITY  backup  USING  AN  ADIjITIuMAL  , 

IDE:  1  I  CAL  CPU 

1  3 

39 

CGNFiTIONAL  LA-AGILITV  3ACKUP  L.ING  THE  FAILED 

C^U  AT  REO'jCi  PEPrORMANCE  CAPABILITY 

120 

4Q 

■^lST  uart 

122 

41 

PAEEC  PACl.Ab'.  U  .11  Mil 

128 

42 

RAEEC  PACKAbL  CONi  iGLP./-.T10‘. 

130 

43 

ELECTRONIC  MODULE 

131 

44 

OVEREOARD  DRAIN  SCHEMATIC 

136 

45 

RAEEC  CONTROE  CROSS-SECTI ON 

137 

45 

PRESSURE  SENSOR  MANIEOLD 

138 

47 

FUEL  FLOW  DIAGRAM 

144 

48 

CONDUCTIVE  HEAT  TRA’ISFER  PATriS 

147 

49 

PREDICTED  VIBRATION  ENVIRONMi^NT  FOR  VARIABLE  CYCLE 
ENGINE;  HIGHEST  PEAKS  IN  FREQUENCY  SPECTRUM  AT 

OUTER  ENGINE  CASE  JUST  UPSTREAM  OF  DUCT  Fl.AMEHOLDER 

1 50 

50 

PREDICTED  VARIABLE  CYCLE  ENGINE  INSTANTANEOUS 

VI3RAT10N  SPECTRUM  AT  THE  ELECIRONIC  CONTROL 

LOCATION 

151 

51 

INSTANTAN'EObS  VIBRATION  CURVE 

162 

62 

COMPONENT  mounting 

152 

63 

COMBINED  MAX  JFC9C  INTERNAL  COMPONENT  RESPONSE 

T('  ENGINE  TESTS 

153 

54 

FREQUENCY  TUNED  SYSTEM 

155 

55 

attenuation  CHARACTERISTICS 

157 

SCCTION  IV 

56 

ADVANCED  TACTICAL  FIGHTER  MISSION  PROEILE 
(BATTLEFIELIi  INTERDICTION  MISSIOI^ 

159 

57 

ADVANCED  TACTICAL  FIGHTER  MISSION  PROFILE 
^DEEP  STRIKE  MISSION) 

1  59 

58 

FLIGHT  ENVELOPE  AND  FLIGHT  POINTS  FOR  VARIABLE 

CYCLE  ENGINE 

161 

59 

ELECTRONIC  CONTROL  MOUNTING  CONFIGURATION 

166 

00 

COOLING  FUEL  ACCESS  POINTS 

171 

61 

r^OISTURE  DECREASE  Nil:.  ALTIiUDE 

62 

f^REL'ICTED'  VlBRAilUN  ENVIRONMEN'"  EOF,  V/'iPIABEE  CYCLE 
ENGINE 

179 

LIST  OF  ILLUSTRATIONS  (Continued) 


FIGURE 

63 


64 


65 

66 

67 

68 

69 

70 

71 

72 

73 


EFFECT  GN  VIBRAflOU  ENVIRONMENT  OF  MOVING  CONTROL 
LOCATION  AXIALLY 

PREDICTED  VARIABLE  CYCLE  ENGINE  INSTANTANEOUS 
VIBRATION  SPECTRUM  AT  THE  ELECTRONIC  CONTROL 
LOCATION 

SCHEMATIC  REPRESENTATION  OF  CONTROL  MOUNTING 
WITH  RESPECT  TO  VIBRATION 
PREDICTED  VARIABLE  CYCLE  ENGINE  ACOUSTIC 

environment 

CARGO  ENVIRONMENTS  FOR  HIGHWAY  TRANSPORT 
MAXIMUM  SHOCKS  RECORDED  DURING  AIRLINE  TEST 
SHIPMENT 

CARGO  ENVIRONMENTS  FOR  AIR  TRANSPORT 
LIGHTNING  STROKE  MECHANISMS 

natural  lightning  strike 

LIGHTNING  STROKE  MODEL 

ASSUMED  EMI  FIELD  OUTSIDE  AND  INSIDE  ENGINE 
NACELLE 


SECTION  V 

74  QUASI-REDUNOANT  DUAL  CHANNEL  BASELINE  SFSTEM 
SECTION  VII 

75  RELIABILITY  ROADMAP 
SECTION  VI i; 


PAGE 

180 

181 


182 

182 

1B4 

186 

187 

190 

191 
195 
200 


202 

214 


76 

ESTABLISHMENT  OF  ACCELERATED  S'JRN-IN  CONDITIONS 
(DESIGN  &  DEVELOPMENT  PHASE,  FOR  INTEGRATED 

219 

CIRCUITS) 

77 

100%  SCREENING  CF  INTEGRATED  CIRCUITS  DURING 

220 

PRODUCTION  PHASE 

73 

100%  ACCELERATED  SCREENING  FLOW  FOR  DISCRETE 

223 

SEMICONDUCTORS 

79 

STEP  STRESS,  TEST  OF  SOLID  TANTALUM  CAPACl  FOkS 

226 

(FREPRODUCTION  PHASE) 

80 

STEP  STRESS  TEST  OF  NON-SOLID  TANTALUM 

227 

CAPACITORS  (PREPRODUCTION  PHASE) 

81 

100%  ACCELERATED  SCREENING  OF  TANTALUM 

228 

82 

CAPACITORS  (PFODUCTION  PHASE) 

100%  SCREENING  OF  MULTILAYER  POLYIMIDL  LAM1I,ATC 

230 

UU/O  iLKttU;  UL.  t.'r  I'.-JL  I  1L><'LK  I'ULIl-iJUL  1.  rt 

PRINTED  CIRCUIT  BOARDS  PREPRODUCTION  AND 
PRODUCTION 


XI 


LIST  OF  ILLUSTRATIONS  (Continued) 


FIGURE  page 


83  PRINTED  CIRCUIT  BOARD  PLATED  THRU  HOLES  232 

84  100%  SCREENING  OF  POLYIHIDE  P.C.  BOARD  MODEL  234 

DURING  PREPRODUCTION  PHASE 

85  TEMPERATURE  EXTREMES  AT  DWELL  TIME  235 

86  100%  PREPRODUCTION  SCREENING  OF  MODULES  237 

INCORPORATING  LCC  AND  CERAMIC  SUBSTRATES 

87  100%  SCREENING  OF  MODULES  INCORPORATING  238 

POLYIMIOE  P.C.  BOARDS  DURING  PRODUCTION  PHASE 

88  100%  SCREENING  OF  PRODUCTION  MODULES  INCORPOR-  239 

ATING  LCC  AND  CERAMIC  SUBSTATES 

89  PRODUCTION  ACCEPTANCE  TEST  OF  END  ITEM  EQUIPMENT  241 

90  GENERALIZED  TEMPERATURE  CYCLING  FAILURE  RATE  242 

CURVES  AS  A  FUNCTION  OF  EQUIPMENT  COMPLEXITY 

91  DETERMINATION  OF  NUMBER  OF  TEMPERATURE  CYCLES  243 

AS  A  FUNCTION  OF  EQUIPMENT  COMPLEXITY 

92  TEMPERATURE  RATE  OF  CHANGE  OF  EQUIPMENT  IN  ITS  245 

USE  ENVIRONMENT  BY  SEVERITY  RANK 

93  CERT  OBJECTIVES  248 

94  CERT  TEST  CONDITIONS  250 

95  RELIABILITY  GROWTH  CYCLE  251 

96  GENERALIZED  STATISTICAL  ANALYSIS  FLOW  CHART  253 

97  CUMULATIVE  FAILURES  255 

98  AVERAGE  FAILURE  RATE  255 

SECTION  IX 

99  TEST  PROGRAM  FLOW  272 

100  MC14163B  BIAS  CIRCUIT  275 

section  X 

101  LIFE  CYCLE  COST  ELEMENTS  283 

102  USAF  LOGISTICS  SUPPORT  COST  MODEL  285 

103  EQUATION  1  -  PIPELINE  SPARES  286 

104  EQUATION  2  -  ON-EQUlPMENT  MAINTENANCE  287 

105  EQUATION  3  -  OFF-EQUIPMENT  MAINTENANCE  288 

106  EQUATION  6  -  PERSONNEL  TRAINING  289 

107  EQUATION  7  -  TECHNICAL  DATA  290 

108  ELECTRONIC  ENGINE  CONTROLLER  COST  COMPARISON  300 


XT  1 


LIST  OF  TABLES 


TABLE  PAGE 


SECTION  I 


1 

ASSUMPTIONS 

4 

2 

SECTION 

III 

IMPERATIVES/ADMONITIONS 

5 

3 

RAEEC  BASELINE  SYSTEM  DEFINITION 

21 

4 

RAEEC  FINAL  SYSTEM  DEFINITION 

38 

5 

FAILURE  EFFECTS-BASELINE  SYSTEM 

52 

6 

FIRST  FAILURE  FLAG  ACTION  MODIFIED  BASELINE  SYSTEM 

55 

7 

FAILURE  EFFECTS  -  FINAL  SYSTEM 

57 

8 

FIRST  FAILURE  FLAG  ACTION  FINAL  SYSTEM 

58 

9 

FINAL  RAEEC  SYSTEM  COVERAGE 

68 

10 

BUILT-IN-TEST  SUMMARY 

’1 

11 

POWER  SUPPLY  REQUIREMENTS 

99 

12 

COMPUTER  ARCHITECTURE  "BOTTON-LINE" 

102 

13 

SINGLE  INSTRUCTION  SINGLE  DATA  CPU 

105 

14 

RAEEC  RAM  DESIGN 

no 

15 

RAEEC  ROM  DESIGN 

111 

16 

RAEEC  I/O  ADDRESSING 

113 

17 

RAEEC  DUAL-PORT  DESIGN  TRADEOFFS 

117 

18 

RAEEC  TEST  UART 

123 

19 

CMOS  STRESS  DERATING  IMPROVEMENT 

124 

20 

TYPICAL  ENGINE  NACELLE  THERMAL  ENVIRONMENT  - 
BATTLEFIELD  INTERDICTION  MISSION 

142 

21 

TYPICAL  ENGINE  NACELLE  THERMAL  ENVIRONMENT  - 
DEEP  STRIKE  MISSION 

143 

22 

SECTION 

IV 

POWER  DISSIPATION 

146 

23 

PREDICTED  ENGINE  OPERATING  CONDITIONS  AT 

EXTREME  FLIGHT  CONDITIONS 

162 

24 

TYPICAL  ENGINE  OPERATING  CONDITIONS  - 
BATTLEFIELD  INTERDICTION  MISSION 

163 

25 

TYPICAL  ENGINE  OPERATING  CONDITIONS  - 
DEEP  STRIKE  MISSION 

164 

26 

PREDICTED  ENGINE  NACELLE  THERMAL  ENVIRONMENT 

AT  EXTREME  FLIGHT  CONDITIONS 

167 

27 

TYPICAL  ENGINE  NACELLE  THERMAL  ENVIRONMENT  - 
BATTLEFIELD  INTERDICTION  MISSION 

16B 

28 

TYPICAL  ENGINE  NACEELE  THERMAL  ENVIRONMENT  - 
DEEP  STRIKE  MISSION 

169 

LIST  OF  TABLES  (Continued) 


TABLE  PAGE 

29  LOW  PROBABILITY  MODELS  OF  PRECIPITATION  RATES  176 

AND  LIQUID  WATER  ALOFT  ^SISSENWINE,  AFCRL-72- 
0369,  1972) 

30  SUMMARY  OF  LIQUID  WATER  CONTENT  AT  ALTITUDE  177 

(SISSENWINE,  AFCRL-72-0369,  1972) 

SECTION  VIII 

31  CONFIDENCE  INTERVALS  FOR  MTBF  FROM  TIME  261 

TERMINATED  TEST 

32  CRITICAL  VALUES  FOR  CRAMER-VON  MISES  GOODNESS  263 

OF  FIT  TEST 

33  CONFIDENCE  INTERVALS  FOR  MTBF  FROM  FAILURE  265 

TERMINATED  TEST 

SECTION  IX 

34  BIAS  CIRCUIT  EVALUATION  SUMMARY  276 

35  PARAMETRIC  TEST  SUMMARY  278 


SECTION  X 


36 

37 


DEFINITION  OF  TERMS  IN  LSC  MODEL  EQUATIONS 
WEAPON  SYSTEM  INPUT  PARAMETERS 


291 

294 


GLOSSARY 


ACCELERATED  STRESS  TESTING  -  Testing  in  which  the  applied  stress  level  is 
chosen  to  exceed  that  stated  in  the  reference  conditions  in  order  to 
shorten  the  time  required  to  observe  the  stress  response  of  the  item 
or  magnify  the  response  in  a  given  time. 

AVAILABILITY  -  A  measure  of  the  degree  to  which  an  item  is  in  the  operable 
and  committable  state  at  the  start  of  the  mission. 

COVERAGE  -  The  conditional  probability  that  given  the  existence  of  a  failure 
in  an  operational  system,  the  system  is  able  to  recover  and  continue 
operation  with  no  permanent  loss  of  function. 

CROSS  CHANNEL  MONITORING  -  The  process  by  which  the  signals  or  outputs  of 
the  channels  are  compared  and  any  disagreement,  outside  of  a  tolerance 
range,  is  classified  a  fault. 

CROSS-STRAPPING  -  The  physical  hardwiring  of  an  element  in  one  channel  to 
elements  in  other  channels. 

PAULT  TOLERANCE  -  The  ability  of  the  system  to  experience  a  finite  number 
of  failures  and  continue  operation,  in  either  a  fully  operational  or 
degraded  mode. 

FLIGHT  SAFETY  RELIABILITY  -  The  probability,  per  flight,  of  not  losing  the 
aircraft  due  to  failures  in  the  engine  control. 

IN-LINE  CHANNEL  MONITORING  -  The  process  by  which  the  signals  or  outputs  of 
a  single  channel  are  checked  (for  faults)  by  the  processor  of  the 
channel.  Also  referred  to  as  BIT. 

MAINTENANCE  RELIABILITY  -  The  probability  that  the  device  will  not  require  a 
maintenance  action  in  the  manner  and  under  the  conditions  of  intended 
use . 

MISSION  RELIABILITY  -  The  probability  that  the  device  will  successfully 
complete  its  defined  mission. 

OPERATIONAL  READINESS  -  See  AVAILABILITY. 

REDUNCANCY  MANAGEMENT  -  The  process  of  improving  the  coverage  of  failures 
with  the  purpose  of  making  the  system  fault  tolerant. 

SYNTHESIS  -  The  substitution  of  data  calculated  from  the  physical  relation¬ 
ships  of  the  system  using  other  parameters  for  a  failed  element. 


xv/xvi 


ABBREVIATIONS,  ACRONYMS,  AND  SYMBOLS 


A4  -  High  Pressure  Turbine  Inlet  Area 

A41  -  Low  Pressure  Turbine  Inlet  Area 

A/D  -  Analog-to-Digital  Converter 

AFAPL  -  Air  Force  Aero  Propulsion  Laboratory 

AFCRL  -  Air  Force  Cambridge  Research  Laboratories 

AGE  -  Auxiliary  Ground  Equipment 

AGREE  -  Advisory  Group  on  Reliability  of  Electronic  Equipment 

AlC  -  Air  Inlet  Control 

AOD  -  Duct  Stream  Exhaust  Nozzle  Area 

AOE  -  Core  Stream  Exhaust  Nozzle  Area 

AM5AA  -  Army  Material  Systems  Analysis  Activity 

AQL  -  Acceptable  Quality  Level 

ASSY  -  Assembly 

AUG  -  Augmentation 

BIT  -  Built-In-Test 

CMVT  -  Constant  Match  Varying  Temperature 

COS  -  Cost  of  Ownership  Study 

CPU  -  Central  Processor  Unit 

CSVA  -  Compressor  Stator  Vane  Angle 

D/A  -  Digi tal-to-Analog  Converter 


xvi  i 


Delta  (  A  ) : 

APS  -  Compressor  Discharge  Differential  Pressure 
APIS  -  Fan  Discharge  Differential  Pressure 
DIP  -  Dual  In-Line  Package 
DMA  -  Direct  Memory  Access 
DPRAM  -  Dual  Port  Random  Access  Memory 
DPCTRAM  -  Dual  Port  Cross  Talk  Random  Access  Memory 
EAROM  -  Electrically  Alterable  Read  Only  Memory 
ECM  -  Electronic  Counter  Measures 
ECU  -  Electronic  Control  Unit 
EEC  -  Electronic  Engine  Control 
Ep  -  Fan  Excitation  Order 
Eh  -  High  Rotor  Excitation  Order 
EMC  -  Electromagnetic  Compatibility 
EMI  -  Electromagnetic  Interference 
EMP  -  Electromagnetic  Pulse 
EOC  -  End  of  Conversion 
EPR  -  Engine  Pressure  Ratio 

FADEC  -  Full  Authority  Digital  Electronic  Control 

FET  -  Field  Effect  Transistor 

FIFO  -  First  In  First  Out 

FIGV  -  Fan  Inlet  Guide  Vane  Angle 

GOMAC  -  Government  Microcircuits  Application  Conference 


HCC  -  Hermet’o  Chip  Carrier 

HTOT  -  High  Temperature  Overstress  Testing 

HTRB  -  High  Temperature  Reverse  Bias 

I/O  -  Input/Output 

JAN  (JN)  -  Joint  Army  Navy 

JAN^  -  Highest  Procurement  Level 

JANTX  -  Extra  Testing 

JANTXV  -  Extra  Testing  and  Internal  Visual 

KOPS  -  Thousand  Operations  Per  Second 
LCC  -  Leadless  Chip  Carrier 
LOD  -  Light  Off  Detector 
LRU  -  Line  Replaceable  Unit 
LSB  -  Least  Significant  Bit 
LSC  -  Logistic.  Support  Cost 
LSI  -  Large  Scale  Integration 
MIMD  -  Multiple  Instruction  Multiple  Data 
MOS  -  Metal  Oxide  Semiconductor 
MSB  -  Most  Significant  Bit 
MSKC  -  Marshal  Space  Flight  Center 
MSI  -  Medium  Scale  Integration 
MTBF  -  Mean  Time  Between  Failures 
MTBUR  -  Mean  Time  Before  Unscheduled  Removal 
MUX  -  Multiplexer 


XIX 


N]  (NL)  -  Low  Rotor  Speed 

N2  (NH)  -  High  Rotor  Speed 

NHA  -  Next  Higher  Assembly 

NOGS  -  Non-Operational  Control  System 

P2  -  Fan  Inlet  Total  Pressure 

P3  -  Compressor  Discharge  Total  Pressure 

P5  -  Low  Pressure  Turbine  Discharge  Total  Pressure 

P5/P2  -  Engine  Pressure  Ratio 

P12  -  Fan  Inlet  Total  Pressure 

P13  -  Fan  Discharge  Total  Pressure 

Pam  -  Ambient  Pressure 

Pb  -  Burner  Pressure 

PAT  -  Production  Acceptance  Test 

PIND  -  Particle  Impact  Noise  Detection 

PLA  -  Power  Lever  Angle 

PLADH  -  Duct  Augmentor  Power  Lever  Angle 

POR  -  Power  On  Reset 

PROM  -  Programmable  Read  Only  Memory 

PSR  -  Power  Supply  Reset 

PS3  -  Compressor  Discharge  Static  Pressure 

PS13  -  Fan  Discharge  Static  Pressure 

PT2  -  Total  Fan  Inlet  Pressure 

PT3  -  Total  Compressor  Discharge  Pressure 

Pi  5  -  Total  Low  Pressure  Turbine  Discharge  Pressure 

PT13  -  Total  Fan  Discharge  Pressure 


XX 


Ptd  -  Fan  Duct  Total  Pressure 

PWM  -  Pulse  Width  Modulation 

QPL  -  Qualified  Products  List  (Mil) 

RAM  -  Random  Access  Memory 

R/D  -  Resol ver-to-Digital  Converter 

RF  -  Rocket  Fire  Signal 

RI  -  Receiving  Inspection 

RM  -  Redundancy  Management 

ROM  -  Read  Only  Memory 

SOFTP  -  Self  Diagnosing  Fault  Tolerant  Microprocessor 

SEM  -  Scanning  Electron  Microscope 

SIMD  -  Single  Instruction  Multiple  Data 

SISD  -  Single  Instruction  Single  Data 

SOS  -  Silicon  On  Saphire 

SOV  -  Solenoid  Operated  Valve 

SPM  -  Scratch  Pad  Memory 

SSI  -  Small  Scale  Integration 

T3  -  Compressor  Discharge  Total  Temperature 

T22  -  Compressor  Inlet  Total  Temperature 

Tam  -  Ambient  Temperature 

TBT  -  Turbine  Blade  Temperature 

Thr,  Bal.  -  Thrust  Balance 

TPS  -  Turbine  Pump  Speed 


TT2  -  Fan  Inlet  Total  Temperature 

Ttd  -  Fan  Duct  Total  Temperature 

TTL  or  T^l  -  Transistor  to  Transistor  Logic 

DART  -  Universal  Asynchronous  Receiver/Transmitter 

VCE  -  Variable  Cycle  Engine 

VLSI  -  Very  l.arge  Scale  Integration 

V/STOL  -  Vertical/Short  Take-Off  and  Landing 

WAi3  -  Duct  Air  Flow 

-  Fan  Duct  Airflow  Rate 
Wf  -  Fuel  Flow 

Wfdl  -  Duct  Augmentor  Fuel  Flow,  Zone  1 

Wfd2  •>  Duct  Augmentor  Fuel  Flow,  Zone  2 

Wfa3  -  Duct  Augmentor  Fuel  Flow,  Zone  3 

WFOH  -  Fuel  Flow,  Duct  Heater 

Wfep  -  Gas  Generator  Primary  Zone  Fuel  Flow 

Wfes  -  Gas  Generator  Secondary  Zone  Fuel  Flow 

WOW  -  Weight  On  Wheels  Signal 

Wtd  -  Duct  Heater  Fuel  Flowrate 

Wte  -  Core  Fuel  Flowrate 

XNH  -  High  Rotor  Speed 

XNL  -  Low  Rotor  Speed 

Q^2  ~  Ratio  of  fan  inlet  air  temperature  to  standard  ambient  temperature 

at  sea  level 


SUMMARY 


The  employment  of  electronics  technology  in  the  full-authority  control  of  air¬ 
craft  turbine  engines  offers  many  advantages  over  the  traditional  hydromechanical 
technology;  increased  accuracy,  improved  control  modes,  better  maintenance,  and, 
because  of  no-trim-required  capabilities,  substantially  reduced  life  cycle  cost. 
In  terms  of  the  key  element  of  reliability,  however,  considerable  study  and  in¬ 
vestigation  of  means  to  improve  the  reliability  potential  of  electronic  engine 
controllers  has  been  deemed  necessary  to  the  end  that,  at  maturity  no  reliability 
penalty  need  attend  their  use  on  military  engines.  The  Reliability  Advancement 
For  Electronic  Engine  Controls  (RAEEC)  Final  Report  presents  a  comprehensive 
approach  for  the  evolution  of  a  controller  design  capable  of  providing  a  main¬ 
tenance  mean  time  between  failures  (MIBF)  of  nearly  25,000  hours  after  500,000 
engine  flight  hours.  This  compares  favorably  with  the  high  reliability  levels 
of  mature  hydromechanical  systems. 

The  engine  cycle  definition  for  the  RAEEC  control  study  was  the  variable-cycle 
engine  (VCE),  derived  from  the  Navy's  "Ful 1 -Authori ty  Digital  Electronic  Control" 
(FADEC)  program  (Contract  No.  N00019-76-C-0422) .  The  operating  requirements 
and  service  environment  for  this  type  of  engine,  during  a  given  mission  profile, 
p.'ovide  the  basis  for  the  control  system  development  in  the  RAEEC  program. 

The  baseline  system  is  a  two  channel  (primary  and  secondary)  configuration 
with  each  channel  having  its  own  set  of  input  sensors  and  signals,  a  central 
processing  unit  (CPU),  and  a  set  of  output  function  controls.  The  basic  mode 
of  operation  for  the  controller  is  to  establish  function  control  by  using  the 
primary  channel.  If  there  is  a  detectable  fault  in  the  primary  channel,  control 
of  the  Output  functions  is  transferred  to  the  secondary  channel.  In  the  two 
channel  baseline  system,  most  of  the  output  functions  and  all  input  sensors  and 
signals  are  redundant,  with  the  exception  of  the  six  pressure  senso>^s  and  two 
temperature  sensors.  Memory- to -memory  communication  between  the  channels  is 
provided  by  a  Universal  Asynchronous  Receiver/Transmitter  (UART)  data  link. 

The  development  of  electronic  control  systems  with  high  mean  time  between  fail¬ 
ures  and  high  mission  safety  encompasses  two  conflicting  goals.  Mission 
safety  is  provided  by  several  levels  of  redundancy  ,  whereas  maximum  HTBF  is 
achieved  through  simplicity.  To  reconcile  these  two  opposing  goals,  a  fault- 
tolerant  design  approach  is  necessary  to  extend  trouble-free  service  life,  to 
increase  availability,  and  to  minimize  the  probability  of  safety-cr'i tical  fail¬ 
ures.  The  RAEEC  design  goal  is  to  keep  the  system  operational  in  spite  of 
single  and  multiple  hardware  failures. 


In  the  course  of  the  RAEEC  study,  the  baseline  system  was  altered  to  evaluate 
the  benefit  of  successive  application  of  Redundancy  Management  techniques  such 
as  selective  triple  redundancy,  majority  voting,  fault  coverage.  Built-in-test 
(BIT),  parameter  synthesis,  and  reliability  mathematical  modeling  methods. 

Through  the  application  of  Redundancy  Management  in  tiie  design  of  highly  re¬ 
liable  fault  tolerant  electronic  fuel  controls,  an  optimal  mix  of  MTBF,  safety, 
and  hardware  complexity  can  be  achieved;  specifically  through  selected  triple 

1  f 


reduncancy  at  the  functional  modular  level  with  a  high  degree  of  cross-strap¬ 
ping.  The  configuration  is  such  that  the  control  can  operate  satisfactorily  at 
a  full  performance  level  with  several  dissimilar  failures  in  two  channels.  In 
many  cases,  the  redundancy  in  the  system  also  allows  postponement  of  immediate 
maintenance  actions  without  compromising  effective  fuel  control  performance. 

Circuit  design  trades  were  conducted  on  fourteen  circuit  designs  and  partitions 
to  define  the  optimal  final  system.  The  trades  considered  the  application  of 
any  technology  in  production  as  of  1979,  in  terms  of  a  design's  salient  fea¬ 
tures  and  drawbacks,  circuit  board  area,  and  power  dissipation.  The  final 
circuit  choices  included  a  distributive  processing  array  CPU  configuration. 

The  mechanical  package  design  for  the  RAF.EC  control  incorporates  modular  con¬ 
struction  for  standardization  and  simplification  of  assembly,  troubleshooting, 
and  repair.  Design  features  are  developed  to  accommodate  the  predicted  ther¬ 
mal,  vibratory,  acoustic,  impact,  and  humidity  elements  of  the  controller's 
operational  environment. 

Particular  emphasis  was  placed  on  tests  to  enhance  reliability  growth.  These 
involve  screening  of  piece  parts,  sub-assembly,  and  final  assembly,  as  well  as 
Combined  Environmental  Reliability  Testing  (CERT)  tests  for  hard  "real  world" 
data  from  actual  equipment  use  before  entry  into  service.  High  temperature 
accelerated  stress  testing  of  semiconductor  devices  was  evaluated  to  determine 
the  viability  of  such  testing.  The  testing  done  demonstrated  that  the  semi¬ 
conductor  devices  subjected  to  test  were  very  reliable.  Clearly,  such  testing 
can  be  very  useful  for  semiconductor  device  screening  purposes  and  for  the 
characterization  of  device  life  distribution. 

In  an  effort  to  derive  maximum  benefit  from  the  experience  of  other  organiza¬ 
tions  in  terms  of  their  own  reliability  enhancement  efforts  in  the  electronics 
field,  a  number  of  technology  transfer  visits  and  many  telephone  discussions 
have  been  conducted  as  described  herein. 

Reliability  improvement  measures  were  targeted  for  the  following  areas: 

1.  Thermal  Environment 

2.  Redundancy 

3.  Vibration  Environment 

4.  Interconnect  Technology 

5.  Component  Technology 

6.  Advanced  Component  Derating 

7.  Component  Screens 

8.  Assembly  Tests  and  Screens 


When  all  improvement  measures  were  implemented,  an  MTBF  improvement  factor  of 
25  was  obtained. 

Cost  of  ownership  studies  and  self-trim  investigations  support  the  expectation 
of  substantial  liTe  cycle  cost  savings  based  upon  assumed  guidelines  for  an 
electronic  engine  control.  Cost  study  results  also  show  that  increased  re¬ 
liability  can  reduce  the  cost  of  maintenance  to  low  levels.  There  is  a  re¬ 
liability  level  beyond  which  further  improvements  are  not  cost  effective  from 
a  maintenance  standpoint  and  must  be  justified  by  requirements  for  mission 
reliability  and  flight  safety. 

No  single  reliability  improvement  measure  will  result  in  a  high  degree  of  re¬ 
liability  enhancement  for  an  electronic  engine  control  (EEC),  but  a  family  of 
improvement  measures,  involving  design,  procurement,  and  manufacturing  disci¬ 
plines  can  result  in  a  full-authority  EEC  with  a  maintenance  reliability  many 
times  greater  than  the  overhaul  period  of  the  engine  it  controU.  Detailed 
conclusions  and  recommendations  are  presented  separately  at  the  end  of  the 
RAEEC  Final  Report. 


xxv/x>.  vi 


SECTION  I  INTRODUCTION 


IJ  Background  of  Program 

The  historical  trend  in  military  high  performance  aircraft  engines  and  engine 
controls  has  been  toward  higher  levels  of  complexity,  increased  accuracy  of 
control,  and  more  stringent  operational  control  requirements.  The  application 
of  full-authority  digital  electronic  control  technology  to  meet  this  challenge 
is  expected  to  provide  economic  benefits  because  of  the  ability  to  operate 
with  greater  precision,  utilize  improved  control  modes,  and  employ  better  main¬ 
tenance  procedures  then  the  hydromechanical  counterpart.  However,  engine- 
mounted  digital  electronic  controls  employ  technology  which  is  still  in  a 
developing  and  emerging  state.  Consequently,  there  is  considerable  concern 
about  the  ability  of  electronics  technology  to  provide  those  levels  of  reli¬ 
ability  which  the  users  of  aircraft  turbine  engines  have  come  to  expect.  The 
intent  of  this  study,  therefore,  is  to  investigate  means  of  improving  the  re¬ 
liability  potential  of  electronic  engine  controls  to  the  end  that,  at  maturity, 
no  reliability  penalty  need  attend  their  use  on  military  high  performance 
engines  in  next  generation  aircraft. 

1 .2  Purpose  and  Goals 

The  overall  objective  of  this  program  is  to  develop  a  comprehensive  approach 
to  the  development  of  electronic  engine  controllers  which  can  lead  to  the 
achievement  of  very  high  levels  of  reliability.  The  specific  goal  for  this 
program  is  the  evolution  of  a  controller  preliminary  design  capable  of  pro¬ 
viding  a  maintenance  reliability  MTBF  of  25,000  lours.  Forty  percent  of  this 
goal  is  to  be  reached  at  the  50,000  engine-f 1 ight-hour  point  and  ninety-five 
percent  of  this  goal  is  to  be  reached  at  the  500., 000  engine-flight-hour  point. 
This  goal  is  comparable  to  the  MTBF  associated  with  the  logic  section  of  the 
hydromechanical  "main  fuel  control"  of  079  engines  in  the  L'.S.  F-4  fighter 
aircraft  fleet. 


1.3  Method  of  Investigation 

The  method  of  investigation  for  this  program  :s  illustrated  in  the  program  flow 
chart  of  Figure  1.  The  heart  of  this  program  is  the  "reiiabiliiy  improvement 
measures"  which  are  iterated  many  t’mes  during  the  program  using  the  format 
shown  in  Figure  2.  Selection  of  the  variable  cycle  engine  used  in  the  Navy- 
sponsored  FADEC  program  and  the  control  modes  developed  for  that  VCE  engine 
have  allowed  the  focus  of  attention  in  the  subject  program  to  be  on  the  improve 
merit  of  reliability  of  the  engine  controller.  A  number  of  assumptions 
(Table  I ) have  been  utilized  in  the  program  with  the  review  and  concurrence  of 
AFAPl,  In  addition,  a  number  of  imperatives/admonitions  have  been  provided 
by  AFAPL  (Tabic-  2).  In  responding  to  the  imperat  i  ve./adnoni  t  ion  regarding 
the-  iMp-orcance  of  field  re  1  i  a!'i  I  i  ty ,  field  reiiabiliiy  experience  has  bec-n 
utilised  as  apor-Dpr  i  ate  frum  the  only  large-engine  ci;;  i  ne-mounted  electronic 
conli'ol  will  significant  tieid  history,  nai'iolv  the  I'15/ri6  engine  controller 
shnv.ii  in  I'lgiirc  ?■ .  Coniponen*  and  assei  Liy  data  iiased  on  USAF  field 


TABLE  1  ASSUMPTIONS 


•  Definition  of  aircraft 

•  Advanced  tactical  fighter 

•  Two  VCE  engines 

•  Located  AFT  fuselage 

•  Mission  definition 

•  Battlefield  interdiction  (See  Figure  4) 

•  Deep  strike  (See  Figure  5) 

•  Ten  missions/day  equally  divided 

•  Shock  and  vibration  sources  other  than  engine 

•  Gatling  gun 

•  Hard  landings 

•  Maintenance  philosophy  and  objectives 

•  Forward  front  line  base 

•  Self  contained  health  monitoring 

•  No  ground  equipment 

•  Pull  entire  control  and  replace 
•  No  trim  or  adjust 

•  Level  II  maintenance  depot 

•  AGE  computer  test  set 

•  Diagnostics  and  fault  isolation 

•  Module  and  parts  inventory 

•  Trim  and  adjust 


4 


TABLE  2  IMPERATIVES/ADMONITIONS 


•  Not  bound  Mil  specs,  and  conventional  practices. 


•  Derive  max.,  benefit  from  accelerated  test  technology  at  component  and 
subassembly/assembly  level  enhanced  by  interface  with  industry  advisors. 

•  Establish  life  cycle  cost  basis  for  future  judgement  regarding  "How  much 
realiability  should  Air  Force  seek  to  afford". 


Cognizant  of  current  workshops/seminars. 


•  Use  pragmatic  approach  to  retain  techniques  which  work,  discard  rest. 


•  Emphasize  field  MTBF  as  the  most  important  reliability  measure.  Try  to 
understand  it,  measure  it,  and  correlate  with  it. 

•  For  high  reliability  use  high  quality  parts  in  conservative  ways. 


!  A 


•  Publish 


2  8  o  ylii 

^  ^  [i!  (/)■ 

£  <  0.  03 

O  UJ  J  q:  5  -I 

z  p  I-  <  o  ^ 

UJ  ti.  h  QL  O  ^ 

□  □  □  □  □ 


Cruise 
44,900  ft 
M  0.942 


E-  4807 


FIGURE  4  ADVANCED  TACTICAL  FIGHTER  MISSION  PROFILE 
(BATTLEFIELD  INTERDICTION  MISSION) 


Penetration 
61,900  ft 


E-1S80B 


FIGURE  5  ADVANCED  TACTICAL  FIGHTER  MISSION  PROFILE 
(DEEP  STRIKE  MISSION) 


reliability  history  have  been  utilized  in  the  definition  of  the  "baseline" 
controller. 

The  work  conducted  by  Hamilton  Standard  and  its  supporting  contractors  during 
the  course  of  this  study  follows  the  flow  chart  of  Figure  1  and  is  summarized 
in  this  report. 


SECTION  II  DEFINITION  OF  VARIABLE  CYCLE  ENGINE  (VCE) 

2.1  Engine  Cycle  Definition 

The  Engine  Cycle  Definition,  given  below,  was  obtained  from  the  FADEC  VCE  con¬ 
cept  which  serves  as  the  baseline  for  the  RAEEC  Program.  Variable  cycle 
engines,  such  as  the  configuration  shown  in  Figure  6,  incorporate  variable 
fan  stator  vanes,  variable  compressor  stator  vanes,  variable  high-and  low- 
pressure  turbine  vane  areas,  and  variable  primary  and  fan  duct  exhaust  nozzle 
areas  in  a  two  stream  exhaust  configuration.  This  degree  of  variable  geometry 
provides  the  propulsion  system  designer  with  improved  flexibility  for  con¬ 
trolling  engine  operating  pressures,  thrust-turbine  temperature-airflow  rela¬ 
tionships,  engine  by-pass  ratio,  and  transient  response.  Probably  the  single 
most  important  source  of  performance  benefit  for  this  engine  configuration 
over  a  fixed-area  turbine  configuration  is  the  capability  to  operate  at  con¬ 
stant  inlet  airflow  over  not  only  the  augmented  power  range,  but  also  over  a 
significant  portion  of  the  nonaugmented  high  power  range. 

Maintaining  constant  airflow  over  a  range  of  power  settings  is  accomplished 
through  a  mode  of  operation  referred  to  as  constant  match  varying  temperature 
(CMVT)  operation.  This  mode  of  operation  requires  a  constant  match  of  rotor 
speeds,  pressure  ratios,  and  corrected  airflow  of  the  fan  and  compressor  as 
turbine  stator  inlet  temperature  is  varied.  This  is  accomplished  by  changing 
fuel  flow  to  set  the  power  level,  while  modulating  the  turbine  and  exhaust 
nozzle  areas  to  maintain  constant  values  of  high  and  low  turbine  work  and 
constant  gas  flow  through  the  compressor  and  fan  duct.  Power  can  be  reduced 
in  this  manner  from  the  intermediate  Uvel  (highest  nonaugmented  power  level), 
while  maintaining  a  constant  match  of  the  fan  and  compressor  until  the  low 
turbine  exit  flow  parameter  reaches  its  maximum  allowable  value,  determined 
from  consideration  of  pressure  loss  and  flow  separation  of  the  exit  guide 
vane.  This  power  level  is  referred  to  as  the  breakpoint  of  CMVT.  Below  break¬ 
point  power,  constant  airflow  cannot  be  maintained,  but  fan  and  compressor 
operating  lines  and  engine  bypass  ratio  can  be  controlled. 

Operation  in  the  CMVT  mode  requires  a  two-stream,  or  nonmixed  flow,  exhaust 
nozzle  configuration  to  avoid  static  pressure  balancing  of  the  two  exhaust 
streams  which  would  cause  the  fan  to  operate  off  the  desired  match  point,  and 
hence  at  lower  efficiency. 

The  control  flexibility  provided  by  the  variable  geometry  results  in  perform¬ 
ance  benefits  which  include  the  following: 

a.  From  a  cycle  point  of  view,  the  variable-area  turbine  engine  operat¬ 
ing  with  the  CMVT  mode  has  a  higher  compression  ratio  for  a  given 
turbine  temperature,  and  therefore,  a  cycle  advantage  which  yields 
lower  fuel  consumption  at  all  powers  below  intermediate. 


STARTING  uuKt 

BLEEDS  FUEL  FLOW  ^4, 


E-5655 


FIGURE  6  VARIABLE  CYCLE  ENGINE 


b.  The  capability  to  reduce  thrust  at  constant  airflow  leads  to  a  re¬ 
duction  in  inlet  and  exhaust  nozzle  drag  at  part  power  conditions, 
and  therefore  improvements  in  installed  thrust  specific  fuel  con¬ 
sumption  . 

c.  For  operation  at  high  supersonic  conditions,  accurate  control  of 
engine  airflow  resulting  from  the  variable  geometry  plus  the  capa¬ 
bility  for  constant  airflow  operation  and  better  inlet/engine  match¬ 
ing  can  result  in  a  smaller  inlet  size,  thus  reducing  weight  and 
drag  while  maintaining  aircraft  thrust  requirements  and  propulsion 
system  stability. 

d.  The  variable  areas  can  accommodate  adjustments  for  cycle  variation  due 
to  altitude,  bleed  air  or  horsepower  extraction. 

e.  In  the  area  of  aircraft-control  integration,  the  variable-area  turbine 
engine  offers  considerable  advantages  over  a  fixed  turbine  engine  in 
its  ability  to  accommodate  changes  in  inlet  distortion  level  resulting 
from  evasive  maneuvers,  weapons  firing  or  soecial  modes  operation 
such  as  V/STOl.  Thus,  turbine  and  nozzle  areas  can  be  modulated  to 
shift  fan  and  compressor  match  points  thereby  providing  stability 
accommodation . 

f.  For  transient  operation,  turbine  and  nozzle  area  modulation  provides 
accurate  control  of  fan  and  compressor  operating  lines  resulting  in 
improved  stability  during  engine  transients.  During  CKVT  operation 
there  is  no  requirement  to  change  rotor  speeds  to  change  thrust  winch 
results  in  thrust  response  capabilities  that  are  not  possible  with  a 
fixed  turbine  engine. 

2.2  Duct  and  Core  Stream  Augmentation 

The  duct  stream  augmentor  typically  is  operational  between  intermediate  and 
maximum  power,  and  it  is  not  operative  during  part-power  engine  operation. 

The  range  of  operation  is  constrained  from  the  minimum  value  of  fuel-air  ratio 
required  to  maintain  stable  combustion,  up  to  one  of  three  possible  maximum, 
limits.  This  is  either  a  maximum  mechanical  limit  on  exhaust  nozzle  area, 
a  maximum  exhaust  nozzle  temperature  for  structural  considerations,  or  a  max¬ 
imum  fuel-air  ratio  to  avoid  stoichiometric  conditions.  In  addition,  a  max¬ 
imum  limit  on  the  duct  augmentor  inlet  Mach  number'  is  imposed  at  mininurr,  light- 
off  fuel-air  ratio  to  assure  consistent  light-off  capability. 

It  is  the  purpose  of  the  duct  augmentor  and  nozzle  control  mode  to  not  only 
maintain  these  operational  limits,  but  also  to  provide  smooth  augmentor  liqnt", 
fast  continuous  modulation,  minimum  disturbance  to  total  engine  airflow,  min¬ 
imum  reduction  in  engine  stability  margin,  good  steady-suate  control  accuracy, 
and  safe  gas  generator  operation  in  the  event  of  blowout.  Tiirust  resi'O'ise  of 


the  duct  augmentor  must  meet  the  time  specifications  of  MIL-E-5007C.  It  is 
also  desirable  to  obtain  all  of  these  objectives  with  a  control  mode  of  min¬ 
imum  complexity. 


2.3  Engine  Ratings 

Four  unique  rating  points  can  be  identified  for  the  variable  cycle  engine  con¬ 
figuration  shown  in  Figure  6.  These  are  intermediate,  breakpoint,  idle,  and 
maximum.  Intermediate  power  is  defined  as  the  maximum  power  available  without 
augmentation  and  without  exceeding  any  engine  operational  limits.  The  inter¬ 
mediate  rating  schedules  were  established  considering  desired  compressor  and 
fan  natch  points,  maximum  high-pressure  turbine  stator  inlet  temperature  limit, 
and  an  inlet  corrected  airflow  schedule  typical  for  a  fighter/bomber  type 
aircraft  application. 

As  noted  previously,  power  can  be  reduced  from  intermediate  while  holding  a 
constant  match  of  the  fan  and  compressor  down  to  breakpoint  power,  which  is 
the  point  at  which  the  low-pressure  turbine  exit  flow  parameter  reaches  its 
maximum  allowable  value. 

The  idle  rating  point  was  varied  as  a  function  of  aircraft  Mach  number  for  this 
study  engine.  At  zero  Mach  number  the  idle  point  is  set  to  be  6  percent  of 
intermediate  power.  Idle  was  set  at  10  percent  of  intermediate  power  for  Mach 
numbers  ranging  between  0.3  and  1.0.  For  Mach  numbers  greater  than  1.5,  idle 
DOwer  was  set  equal  to  breakpoint  power  in  order  to  prevent  a  decrease  of 
airflow  and  subsequent  inlet  matching  problems  when  decreasing  power  from 
intermediate  to  idle.  Interpolation  between  the  power  settings  of  Mach  num¬ 
bers  of  0.0  and  0.3,  and  Mach  numbers  of  I.O  and  1.5  provides  the  idle  ratings 
for  these  ranges  of  Mach  numbers. 

The  idle  and  intermediate  rating  points  define  two  power  settings  which  must 
be  accurately  scheduled  by  the  engine  control  system  as  a  function  of  the 
pilot  power  lever  angle  (PEA),  However,  this  is  not  sufficient  information  to 
determine  the  complete  shape  of  the  control  schedules.  To  provide  ease  of 
operation  of  the  engine,  it  was  found  to  be  desirable  to  provide  the  break-- 
point  power  setting  at  the  same  value  of  PLA  for  all  flight  conditions.  Thus, 
the  pilot  is  provided  with  a  PLA  setting  above  which  he  knows  constant  air¬ 
flow  can  be  maintained,  and  above  which  he  can  expect  the  engine  response  to 
be  different.  Finally,  a  requirement  for  an  essentially  linear  relationship 
of  thrust-versus-PLA  between  idle  and  breakpoint,  and  between  breakpoint  and 
intermediate  was  imposed. 

The  above  constraints  are  sufficient  for  defining  control  schedules  for  a  fixed 
area  turbine  engine.  For  a  variable-area  turbine  engine,  however,  these  con¬ 
straints  can  be  met  with  a  wide  variety  of  turbine  area  settings  between  idle 
and  breakpoint,  and  between  breakpoint  and  intermediate  power.  Between  break- 


13 


point  and  intermediate  power,  the  requirement  for  constant  match  of  the  fan 
and  compressor  establishes  the  constraints  on  turbine  area  settings.  Below 
breakpoint  power,  the  establishment  of  the  desired  fan  and  compressor  operat¬ 
ing  lines  and  the  relationship  between  corrected  rotor  speeds  provide  the 
necessary  constraints.  These  relationships  might  vary  depending  on  the  air¬ 
craft  mission,  and  for  this  study  the  operating  lines  were  established  to  min¬ 
imize  the  variation  of  the  turbine  area  settings  between  breakpoint  and  idle 
power. 

With  the  addition  of  augmentation,  the  maximum  rating  point  is  obtained  at 
either  the  maximum  exhaust  gas  temperature,  maximum  exhaust  nozzle  area  or 
maximum  fuel-air  ratio.  A  requirement  for  linearity  of  the  thrust-versus-PLA 
relationships  is  imposed  between  minimum  augmentation  and  maximum  power, 

2.4  Operational  Limits 

The  operational  limits  of  a  variable  cycle  engine  can  bo  delineated  into  three 
categories:  aerodynamic,  thermodynamic,  and  mechanical  or  structural.  Typical 
aerodyriamic  limits  are  choking  of  a  nozzle,  airflow  separation  along  a  com¬ 
pressor  or  t.r'bine  airfoil,  maximum  airflow,  minimum  augmentor  inlet  Kach  num¬ 
ber  required  lor  light-off,  and  compressor  surge.  The  range  of  CMVT  operation 
is  limited  by  aerodynamic  limits  of  the  low  turbine  exit  guide  vane.  For  the 
low  power  end  of  the  CMVT  range, the  low-pressure  turbine  exit  flow  parameter 
is  limited  to  a  maximum  value  determined  from  consideration  of  pressure  loss 
and  flow  separation  of  the  exit  guide  vane.  For  the  high  power  end,  a  minimum 
limit  of  low-pressure  turbine  exit  flow  parameter  can  be  correlative  with  blade 
stress  limits  and  loss  in  turbine  performance,  resulting  from  efficiency  and 
flow  separation  effects. 

Thermodynamic  limits  include  minimum  burner  fuel-air  ratio  required  to  main¬ 
tain  burning  and  maximum  fuel-air  ratio  to  avoid  exceeding  stoichiometric 
operation. 

Mechanical  and  structural  limitations  include  maximum  rotor  speeds,  maximum 
burner  case  pressure,  creep  limits,  maximum  value  of  and  rates  of  change  of 
high-pressure  turbine  stator  inlet  temperature,  maximum  augmentor  temperatures, 
and  the  entire  set  of  control  variable  rate  and  amplitude  limits. 

All  operatiuhcl  limits  identified  in  these  categories  must  be  considered  in  the 
design  of  the  control  system.  Some  will  affect  control  schedule  requirements, 
others  will  affect  control  logic,  and  some  will  require  individual  control 
loops  to  guarantee  avoidance  of  the  limit.  The  impact  of  these  limits  on  the 
control  for  this  engine  configuration  will  become  more  apparent  in  the  discus¬ 
sion  of  the  control  schedules  derived  to  meet  the  above  requirements. 


2.4.1  Basic  Control  Modes 


A  simplified  mode  logic  block  diagram  shown  in  Figure  7  illustrates  the  basic 
control  paths  and  the  required  input  parameters. 

Referring  to  the  simplified  logic  block  diagram,  fan  inlet  guide  vane  angle 
(FIGV)  and  compressor  stator  vane  angle  (CSVA),  are  open-loop  scheduled  as  a 
function  of  low  and  high  rotor  corrected  speeds,  respectively.  With  CSVA  on 
schedule,  high  pressure  turbine  inlet  area  (A4)  controls  compressor  discharge 
Mach  number,  which  is  characterized  by  the  difference  between  total  and  static 
pressures  divided  by  total  pressure  of  the  compressoi"  discharge  (ilP/P]3.  Low 
turbine  inlet  area  (A41}  controls  compressor  corrected  speed  to 

set  the  match  of  the  compressor.  Similarly,  with  FIGV  on  schedule,  core  stream 
exhaust  nozzle  area  (AJE)  controls  fan  corrected  speed  (XNL/y^)  and  duct 
streaiii  exhaust  -^ozzle  area  (A.’C)  controls  tan  discharge  Mach  number,  which  is 
characterized  by  (  AP/P}13,  to  set  the  match  of  the  ■•'an  during  CKVT  operation. 
The  CMVT  mode  of  operation  maintains  a  constant  airflow  over  a  range  of  engine 
power  settings.  Gas  generator  fuel  flow  (WF)  then  controls  engine  pressure 
ratio  (P5/P2  or  EPR)  to  set  power  A  correlation  schedule  betweeri  the  WFE 
and  AJE  loops  provides  rough  scheduling  of  AJE  to  eliminate  detrimental  inter¬ 
action  between  these  two  loops  during  rapid  transients.  Below  breakpoint  of 
CMVT  operation,  a  loop  transition  is  made  so  that  WF  controls  low  rotor  speed 
to  set  power  and  AJE  is  held  constant.  A4  now  maintains  the  desired  compressor 
operating  line  and  A41  maintains  the  desired  relationship  between  low  and  high 
rotor  corrected  speeds. 

This  loop  transition  is  accomplished  with  the  first  "Select  Low  Logic"  block 
in  the  WF  control  loop.  Below  breakpoint  power,  engine  pressure  ratio  refer¬ 
ence  (P5/P2  Reference)  is  scheduled  to  remain  at  the  breakpoint  value  while 
low  rotor  speed  reference  (XNL  Reference)  is  scheduled  to  decrease  as  a  func¬ 
tion  of  power  lever  angle  (PLA)  to  correspond  to  part  power  operation.  Thus, 
in  the  range  below  breakpoint  power  the  compensated  engine  pressure  ratio 
error  (P5/P2  error)  will  always  be  a  large  positive  number  relative  to  the 
compensated  low  rotor  speed  error  (XNL  error)  for  steady  state  operation,  and 
the  XfiL  error  path  will  be  selected  by  the  logic  as  the  controlling  error. 
Conversely,  above  breakpoint  power,  the  low  rotor  speed  schedule  is  raised  up 
out  of  the  way  so  that  the  engine  pressure  ratio  path  will  be  selected. 

In  addition  to  the  variable  geometry  and  fuel  flow  loops,  the  VCE  gas  genera¬ 
tor  control  also  includes  logic  for  starting  bleed  and  thrust  balance  bleed 
for  safe  engine  control.  The  starting  bleed  is  opened  at  starting  conailiurib 
for  stability  accommodation  and  is  dosed  at  high  power  conditions  to  provide 
optimum  compressor  operation.  The  thrust  balance  bleed  is  used  to  change 
engine  internal  compart, nent  pressure  and  maintain  rotor  thrust  bearing  load 
within  allowable  limits  from  startup  to  maximum  power.  Control  logic  for  the 


15 


r  -  bl6C 


FIGURE  7 


SIMPLIFIED  BLOCK  DIAGRAM  OF  CONTROL  MODE 


It 


augmentor  turbopuMip  was  developed  under  this  contract  and  is  included  in  the 
gas  generator  control  mode  to  ensure  adequate  hydraulic  pressure  for  the 
engine  actuation  systems  and  duct  augmentation  fuel  flow  during  operation  of 
the  duct  heater. 

2.4.2  Augmentation  Control  Mode 

The  block  diagram  of  the  augmentation  control  mode  is  presented  in  Figure  8. 

A  description  of  the  sequence  of  events  which  occurs  during  a  power  excursion 
from  intermediate  to  maximum  follows. 

MS  FLA  is  advanced  above  the  intermediate  power  setting  of  31  degrees,  inhibit 
logic  iLCGICl)  prevents  the  PLA  signal  tc  the  duct  augmentor  control  logic 
(PLAliH.i  from  increasing  above  84  degrees  until  the  engine  is  up  to  speed  and  the 
light-ofi  detector  (LCD)  confirms  light-off  has  occurred.  Prior  to  the 
light-off,  the  duct  nozzle  is  pre-opened  (LOGIC2)  by  increasing  the  scheduled 
value  of  (  A  P/P)  13,  tfiereby  increasing  fan  surge  margin  to  compensate  for 
the  duct  pressure  fluctuation,  or  "lighting  spike",  which  occurs  during  light- 
off  . 

The  quick-fill  logic  proceeds  to  slew  the  first  segment  metering  valv.  to 
maximum  travel  and  commands  maximum  pump  capacity  to  maximize  metering  valve 
response  characteristics  and  to  fill  the  manifold  as  quickly  as  possible. 

The  control  monitors  metering  valve  position  feedback  and  uses  the  informa¬ 
tion  along  with  stored  dynamic  characteristics  for-  the  system  to  predict  the 
point  in  time  where  the  metering  valve  must  reduce  flow  in  order  to  arrive  at 
the  scheduled  light-off  fuel  flow  without  underfilling  or  overfilling  the  man¬ 
ifold.  After  establishing  light-off,  PLA'IH  is  released  and  ramps  up  to  the 
requested  PLA  value.  A  similar  sequence  of  events  occurs  on  the  subsequent 
segments  which  are  timed  approximately  to  ensure  obtaining  maximum  thrust  with- 
in"2  seconds  ('flL-E-SOO/U  requirement)  afi.er  initiation  of  an  interrnediate-to- 
maxirium  PLm  step. 

During  the  transient,  rough  correlation  between  AJD  and  WFDH/WA13  is  provided 
by  the  steady-state  schedules  versus  PLADH,  As  noted  above,  the  AJD  trim 
integrator  acts  to  maintain  accurate  control  of  (AP/P)  13.  If  the  duct 
exhaust  nozzle  area  should  saturate  wide  open,  either  during  transient  or 
steady-state  operation  before  the  (  AP/P)  13  error  is  reduced  to  zero, 
a  further  increase  in  WFDM/WA13  would  cause  an  oversuppression  of  the  fan. 

This  is  due  to  the  decrease  of  effective  area  as  exhaust  temperature  is  in¬ 
creased  with  a  constant  flow  area.  To  preclude  transient  fan  surge  or  steady- 
stale  off-design  operation  of  the  fan,  the  integral  trim  action  is  trans- 
fe^-red,  by  the  logic  sliown  in  Figure  8,  to  the  fuel-air  path  to  decrease  fuel- 
air  as  necessary  in  the  event  the  area  saturates  open. 


17 


FIGURE  8  VARIABLE  CYCLE  ENGINE  CONTROL  MODE- DUCT  STREAM 
AUGMENTOR  CONTROL  BLOCK  DIAGRAM 


18 


SECTION  III  CONTROLLER  PRELIMINARY  DESIGN 
3.1  Introduction 

The  final  RAEEC  system  design  presented  in  this  section  is  developed  through 
a  series  of  trade  studies  and  analyses  from  a  baseline  system  defined,  essen¬ 
tially,  by  the  U.S.  Navy-sponsored  FAOEC  program.  Primary  areas  of  concern 
in  this  study  are  requirements  for  improved  reliability,  maintainability  and 
safety.  Emphasis  has  been  placed  on  Redundancy  Management,  coverage. and  on 
self  diagnostics  and  testing.  A  reliability  analysis  for  both  the  baseline 
and  final  systems  is  presented  as  well  as  a  flight  safety  model  for  the  final 
system. 

A  detailed  circuit  level  analysis  of  the  RAEEC  system  is  made  here.  Consid¬ 
erable  effort  has  been  devoted  to  presenting  the  alternatives  examined  for 
Implementation  of  the  various  subsystems  in  the  control.  Based  upon  a  concise 
matrix  trade  summary,  a  power/area/reliability  sensitivity  study  is  presented 
and  a  final  RAEEC  system  design  derived. 

Finally,  a  thorough  description  of  the  mechanical  design  aspects  of  the  con¬ 
trol  is  given.  Improvements  over  the  baseline  configuration  are  delineated, 
with  primary  emphasis  placed  upon  the  implementation  of  the  control's  modular 
construction  to  satisfy  reliability  and  maintainability  requirements.  Of 
specific  concern  here,  is  the  ability  of  the  control  package  and  contents  to 
operate  reliably  in  the  projected  thermal,  vibratory,  and  acoustic  environment 
to  be  encountered  during  actual  service, 

3.2  System  Description 

3.2.1  RAEEC  Baseline  System 

The  RAEEC  baseline  electronic  unit  provides  all  of  the  sensor  signal  condition 
ing,  computation,  and  output  signal  processing  functions  necessary  for  control 
ling  the  variable  cycle  engine  configuration  as  described  in  Section  II.  A 
simplified  block  diagram  shown  in  Figure  9  illustrates  the  baseline  control. 
The  control  unit  employs  two  digital  processors,  redundant  input  and  output 
circuitry,  and  two  power  supplies  organized  into  primary  and  secondary  con¬ 
trollers  to  provide  secondary  control  capability. 

The  control  loop  computations,  synthesizations,  self-testing,  and  types  of 
Inputs  and  outputs  processed  within  the  primary  and  secondary  portions  of  the 
electronic  unit  are  listed  in  Table  3. 


FIGURE  9  RAEEC  BASELINE  SYSTEM  SIMPLIFIED  BLOCK  DIAGRAM 


20 


:C  BASELINE  SYSTEM  DEFINITION 


5l_^^5l-o^5lo 


O  O  -  r~  , 


n — 


• 

L. 

03  1 

Q. 

L.  U 

£ 

r— 

3  d) 

03 

»D 

'tJ 

U 

i/>  L- 

h- 

03  ^ 

•«— 

v> 

v>  ^— 

s-  O 

4-> 

•  #— 

0; 

3  f— 

c 

Q 

U  Q 

• 

(A 

a; 

Q_ 

O.  4^ 

VO  OJ 

t. 

O? 

03 

£  •  O 

C3  Cn 

03 

C 

p—  CTt 

03  K~ 

u  u 

A3  S- 

K-  £ 

CL  <0 

M- 

jD 

4-> 

0; 

<—  »—  Oj 
<n  r—' 

4-J  OJ  c 

o  *0  ^ 

u 

4-»  m  o 

d)  sn 

^  ^  i/1 

c  f  ^ 

n  ^ 

C  u  £  i 

'^301 
U.  h-  O  I 


U 

4->  o  a> . 
a>  </>  u 

r-  </>  3 

c  a»  • 

i-  irt  ( 
CL  (U 
C  £  i. 
<0  O  Qu 
U-  O  l 


U  0^0) 
3  O)  ^—  U  U 
H—  S-  CO  3 
3  CU 

<1>  c‘>  CJ5  0  CO 
i-  cO  L_  (V 

3  0^  ro  U  U 

lo  ^  x:  o  a. 

VI  Q.  u  l/T 

—  -n-  QJ  O 

CL  <0  o  L.  »|- 
-M  Ol-U 

S  o  c  E  c 
O  K  03  5  QJ 

^  LL  CJ 


03 

C  O) 

Of  c 

C  >■  •»“ 

03  J3 

0)  >  ^ 

•—  0  3 

0>  03  ^ 

C  T3  03  I 

a;  -p-  ^  o) 

3  to  i- 
3-0  3 

03  1.  l/> 

>  4->  O 
O)  O)  V>  03 
-J  •—  to  t- 

c  o;  (X 

L-  ^  05  i 

^  CLf  03 

I  »  C  E  cn  w 

I  O  fO  o  'f-  < 

I  (X  Ll  LJ  X 


03 

o 

u. 

1— 

03 

N 

3  i 

u.  o 

O 

s: 

4-» 

L. 

A3  r— 

V) 

e  <Li 

3 

•f“  3 

A3 

w. 

-C 

CL 

X 

>» 

LlJ 

E 

o 

44  *D 

A1  C 

03 

1-  O 

03  U 

C  <D 

tn 

03  1/1 

A3  O 

4-’  03 

• 

u  s. 

cA  O 

3  < 

fd  • 

o 

CJ  O 

03 

&. 

3 

I  h-  C\J  VI 
00  CSJ  CO 
h-  03 

u 

a. 


TABLE  3  RAEEC  BASELINE  SYSTEM  DEFINITION 


§1 _ 


3  (VI  I  I  I  t  I  I  I  •  O  <U 


A 

to 

Q) 

a> 

u 

r“ 

o 

£i 

-O 

<T3 

u 

A 

lO 

a> 

4-» 

O 

£Zi 

0) 

V- 

Q 

lO 

0) 

O) 

r* 

-O 

o 

iO  (T5 

c 

^  C 

4-> 

(L>  LU 

LU 

o 

X 

<1; 

UJ 

cr* 

-C  jC  o 

x: 

UJ 

•p“ 

:s  u  uj 

u 

UJ 

4-> 

>s 

c 

•r^ 

u 

u 

O  X 

>> 

<0 

o 

to 

U 

to  -O 

4-> 

fO 

c 

c 

-C  -M 

£ 

■M 

o 

OJ 

CD  O 

o 

u 

S, 

»i»  ^ 

u 

01 

<U  •<“ 

a. 

to 

3 

3C  CL 

o. 

< 

c  c  c 
o  o  o 

(_>  T-  *1“ 


c  c  c  c  c  c 
o  o  o  o  o  o 


■o  •»- 

QJ  iA  ^/) 
0)  O  O 

O.CU  a. 

(/> 

L.  W 

CL  o  o 
B  Uu  lu 
3 

CL  t/>  t/» 

m  (0 

o 

•  3  S 

I  h-  to  to 


(/)(/>(/)(/></)!/) 
o  o  o  o  o  o 
a.  Q.  D.  a.  c.  Q. 

U  U  U  L.  V.  u 

o  o  o  o  c  o 


i/y  iA  A  {/>  lA  iA 

(Q  (O  (0  (T9  ^  (O 

(U  (!>  <U  OJ  dJ  ^ 

to  to  CO  (/) 


ro  — 1 

O  fO\ 


c 

o  »— 
o  o 

4->  ^ 

(U  c 

i/1  c  o 

oi  ‘ 


U  l-L  I 

c 


40  1.  U-  O 

u  •  ♦!- 

2L  iA  q:  :z  Q. 


<  0-10 
O  >  ^  LU  O  UJ  LU 

u-octcccr-st^^ 


o  o 

O  C  L. 
•r-  4J 

t-  OY  c 
o  c  o 

U.  UJ  <-J 


a; 

u  »— 
0  0)0 
o  c  u 

4J 

i-  CT>  c 
o  c  o 

U.  LU  O 


NUMBER  INCLUDED  IN: 
PRIMARY  I  SECONDARY 


SL 

t '  -  f—  r—  ( 


O  0^0  I— 


- - 


>» 

1 

u> 

E 

<4- 

^- 

M- 

L. 

■o 

UJ 

<L> 

14- 

*4- 

d. 

«5 

c 

UJ 

3s 

4-> 

o 

O 

o 

E 

o 

U 

on 

2 

4-» 

4-» 

4-> 

•r* 

u 

>1 

d 

>»0- 

o 

3 

O 

3 

U 

QJ 

u 

■o 

to  uo 

.C 

X 

X 

O. 

LO 

fd 

c 

< 

Li. 

oo 

CO 

CO 

E 

O 

1/) 

CA 

•r* 

u 

"o  c 

3 

3 

a> 

O 

u 

a; 

U  O 

c  c  c 

0) 

o 

o 

O 

4-> 

+-> 

CL 

CO 

4-* 

OOO 

o 

rd 

C  "O 

•r*  ‘r-  T* 

u. 

li. 

u. 

u. 

u 

U 

VI 

VI 

o  cu 

^  4-> 

»f— 

a> 

QJ 

O  4-» 

T- 

>> 

^— 

“O 

“D 

“O 

•u 

4-> 

d 

</)  cA  cn 

u 

Ci 

a> 

0) 

c 

C 

O) 

d 

d 

I—  u 

OOO 

«d  <L» 

o 

3 

3 

1— H 

1—4 

1-^ 

u 

u 

d  o 

c.  a.  a. 

6  > 

u. 

Lu 

U. 

J3 

•r* 

•r“ 

C  -J 

•f—  r— 

Q.  *0 

o. 

<d 

■o 

“O 

o 

u  u  i. 

t-  <T5 

f— 

CM 

ro 

E 

<X) 

E 

c 

C 

c 

3> 

OOO 

Q.  > 

fd 

fd 

LU 

»— 4 

^  4J 

4U  d 

u.  u.  u. 

o 

a> 

O 

P— 

d  r— 

* 

c 

c 

c 

rd 

CJ 

CA 

a>  3 

U  Ll 

(/)  </l  tA 

C  M- 

o 

o 

O 

4-J 

c 

4-i 

LU 

d 

d  d 

O) 

<d  Aj  /d 

<U  O 

0)  tM 

0)  M 

a> 

UJ 

LU 

4-' 

U- 

CL-P 

o  4-> 

> 

> 

> 

Q. 

Q. 

U. 

U- 

O  r- 

O  Oi  o 

O 

4-> 

^  4-> 

»—  4-> 

>1 

3 

(.J 

1  3 

£  £  6  1  1 

1  1  <A  x; 

u 

•d  u 

fU  u 

rd  1 

1  U 

UJ 

U 

u 

3> 

d 

:3  UJ 

c  d  1 

<d  fo  <d  1  1 

1  1  ^d  CO 

3 

>  3 

>  3  >  1 

1  1  o 

UJ 

O 

u. 

OC  UJ 

O  Ll  I 

(✓)</)(/)!  1 

1  1  o 

Q 

o 

o 

t 

1  o 

o 

.J 

Z  1 

I 

a: 

1 

CO 

•  •  CO  a> 

•D  c 

•  r-  4->  -r-  1/1 

r-CMfOO  i-CT3CL 
OOO  C  W-UJ 

U.LJUL1. 

3:3^3^—  CO(y^^—  3 
O 
LO 


c 

i-  v/>  o 

o  cr 

+-»  fd  >> 

c  —  u 

u-  'd 

3  a  u 

<  E  13. 


Ol 

d 

u. 

a> 

d 

Ll 

4-* 

Ol 

4-> 

3 

d 

c 

d 

Ll 

o 

3 

Ll 

d  — 

4^  • 

>1 

Ll  -O 

>>■0 

f— 

u 

(1> 

u  Q> 

3 

fd 

>>-C 

d  X 

d 

■o 

U  U 

■D  U  Ll 

c 

d  4-* 

C  4-> 

o 

E  d 

0  d 

to 

u 

•r-  «j 

u  ^ 

0 

o 

cu  ^ 

O' 

CO 

CL 

VO 

<D 

U  r- 

o  dl  o 
o  c  u 

4-^ 

i-  oi  c 
o  c  o 

U.  UJ  o 


23 


TABLE  3  RAEEC  BASELINE  SYSTEM  DEFINITION  (Continued) 


I 


. . 


TABLE  3  RAEEC  BASELINE  SYSTEM  DEFINITION  (Continued) 


25 


TABLE  3  RAEEC  BASELINE  SVSTEM  DEFINITION  (Continued) 


26 


Inputs  are  fed  into  each  CPU  via  time  multiplexed  analog-to-digital  con¬ 
verters  (A/D),  resolver  to  digital  converters  (R/D)  and  digital  pulse 
counters.  All  of  these  interfaces  are  read  into  the  CPU  on  a  3-state  input/ 
output  (I/O)  bus.  CPU  inputs  are  received  as  parallel  16-bit  words. 


Output  signals  for  the  Processor  are  handled  similarly,  with  commands  beina 
sent  out  serially  via  the  I/O  bus  to  the  digital-to-analog  converters  (0/A). 
The  0/A's  convert  the  digital  ward  to  a  voltage  level  proportional  to  the  mag¬ 
nitude  of  the  command,  providing  control  of  the  output  drivers  which  power 
the  effectors. 

The  flag  outputs  provide  a  means  of  communicating  to  ground  personnel  system 
fault  conditions,  as  well  as  providing  information  as  to  which  system,  the 
primary  or  secondary  is  not  operational. 

The  digital  processor  used  in  the  primary  portion  of  the  control  is  duplicated 
in  the  secondary  portion.  The  processor  is  capable  of  the  following  perform¬ 
ance: 


16  bit  full  parallel  operation 

2.0  microsecond  addition  time 

12.0  microsecond  multiply  time 

87  instruction  repertoire 

390,000  operations  per  second  through-put 

1,0  Megahertz  clock  rate 

The  primary  processor  services  the  following  memory  subsystems: 

lOK  -  16  bit  words  of  Programmable  Read  Only  Memory  (PROM) 

384  -  16  bit  words  of  Random  Access  Memory  (RAM) 

64  -  16  bit  words  of  CPU  -  Alterable  RAM 

The  secondary  processor  services  the  same  complement  of  Random  Access  Memory 
but  only  8K  words  of  PROM,  due  to  the  elimination  of  augmentation  fuel  control 
logic  in  the  backup  mode. 


27 


3.2.2  Secondary  Control  Provisions,  Self  Test  and  Diagnostic  System 


The  electronic  secondary  approach  selected  for  the  RACEC  baseline  system  employs 
dual  path  redundancy  to  provide  a  highly  fault  tolerant,  nearly  fail  opera- 
tional/fai Isafe,  "self  healing"  system  concept.  A  simplified  schematic  of 
this  concept  is  illustrated  in  Figure  9.  As  shown  in  Figure  9,  the  electronic 
unit  is  organized  into  separate  primary  and  secondary  systems,  each  incorpor¬ 
ating  a  digital  processor  and  complement  of  inpiit  and  output  circuitry.  To¬ 
gether  they  are  able  to  provide  full  authority  digital  electronic  control  of 
all  engine  and  augmentor  functions  And  secondary  control  tor  gas  generator  func¬ 
tions  through  redundant  circuit  paths  and  alternate  control  modes.  Self  test 
and  fault  detection  features  are  included  to  implement  corrective  action  in 
the  event  of  failures  within  the  unit,  external  sensors  or  output  devices 
(Table  3).  The  six  pressure  sensors  required  for  control  of  the  V'CE  ere  housed 
within  the  unit  and  are  divided  between  the  primary  and  secondary  systems  such 
that  loss  of  either  processor  can  be  tolerated  without  jeepardizing  safe  engine 
operation . 

The  primary  and  secondary  processors  communicate  with  each  other  in  real  time 
through  a  dual  port  RAM.  Because  of  this  communication  capability,  any  failure 
of  one  system  input  parameter  may  be  accommodated  since  the  same  parameter  is 
available  through  inter  rogation  of  the  other  systern  with  its  redundant  sensors. 

Pressure  inputs  are  nonredundant;  however,  four  of  the  six  pressure  inputs  can 
be  synthesized  by  software  from  curves  scored  in  the  CPU  PROHs.  These  syntne- 
sization  curves  are  given  in  Figure  10,  and  ate  derived  from  the  VCE  model  tor 
engine  response.  These  curves  also  provide  for  engine  speed  and  temperature 
parameter  synthesis  as  well  as  for  pressure. 

Synthesized  parameters  are  somewhat  less  accurate  than  sensed  parameters;  how¬ 
ever,  their  accuracy  is  sufficiently  good  to  permit  comparison  checking  with 
sensed  parameters.  The  inclusion  of  parameter  synthesis  in  both  primary  and 
secondary  channels  enables  majority  logic  checks  on  those  parameters  for  input 
sensor  failure. 

If  a  pressure  sensor  failure  is  detected  by  this  means,  the  value  of  the 
synthesized  parameter  can  replace  the  failed  pressure  sensor  input  in  control 
loop  calculations  with  some  loss  in  engine  performance;  however,  the  pilot  is 
still  able  to  safely  abort  the  mission.  The  failed  sensor,  of  course,  must  be 
replaced  before  the  start  of  the  next  mission. 

In  addition  to  the  communication  path  provided  by  the  dual  port  RAK,  four  dis¬ 
cretes  are  transmitted  from  the  primary  to  the  secondary  and  vice  versa.  These 
discretes  provide  a  hardwired  backup  information  interchange  system  in  the 
event  that  the  previously  described  RAM  communication  is  disabled.  These  four 


28 


CURVE  1 


CURVE  2 


NOTE: 

FAIL  1  =>CURVE  1 
FAIL  2  =>CURVE  2 
ETC. 


FIGURE  10  FAILURE  MODE  SYNTHESIZATION  CURVES 


discretes  provide  multiple  states  of  fault  information  to  the  other  processor 
so  that  individual  output  loop  switchover  can  take  place  under  a  multi-fault 
condition.  Since  each  system  is  capable  of  providing  all  the  engine  control 
functions,  with  the  exception  of  augmentation  in  the  secondary  system,  it  is 
desirable  that  the  decision  of  which  system  is  in  control  at  a  given  time 
be  validated  by  a  third  intelligence,  or  voter.  A  hardwired  logic  approach 
was  utilized  since  a  third  processor  would  be  a  costly  solution.  This  circuitry 
receives  input  signals,  or  discretes,  from  each  of  the  two  controls,  and,  based 
on  a  pre-defined  state  table,  makes  a  decision  as  to  which  control  is  in  the 
best  health  and  should,  therefore,  be  placed  in  command. 

Note  that  provision  is  made  not  only  for  the  capability  to  switch  one  system 
in  to  replace  the  other  in  the  event  of  major  malfunction,  but  individual  out¬ 
put  loops  may  also  be  switched  in  and  out  in  the  event  of  less  significant 
malfunctions.  Maximum  flexibility  is  thus  provided  in  response  to  any  mal¬ 
function  si-uation. 

Information  available  for  diagnostic  system  usage  will  consist  of  serial  dig¬ 
ital  data,  discrete  type  data  and  internal  storage  by  means  of  EAROM  (Electri¬ 
cally  Alterable  Read  Only  Memory)  devices  that  are  part  of  the  EEC. 

Serial  digital  data  can  be  transmitted  to  any  data  retrieval  system  (such  as 
the  aircraft's  mission  computer)  for  any  failure  that  occurs  in  the  fuel  con¬ 
trol  system  and  that  is  detectable  by  the  EEC  BIT  (Built-in  Test)  system,  i.e., 
input  and  outputs  that  are  part  of  the  EEC  control  loops,  including  the  EEC 
itself.  The  EEC  system  has  the  capability  to  communicate  with  any  other  on¬ 
board  system  such  as  the  Engine  Condition  Monitoring  unit  which  could  analyze 
all  EEC  generated  data  for  trend  or  fault  analysis. 

EAROM  devices,  located  in  the  EEC  control,  will  be  used  to  store  any  system 
malfunctions  for  later  retrieval,  either  at  the  ground  level  by  maintenance 
personnel  or  through  post-flight  checks  made  by  an  aircraft’s  mission  computer. 
Maintenance  personnel  would  be  alerted  through  the  pilot's  log,  reporting  any 
cockpit  information  faults  generated  and  subsequent  observation  of  EEC  fault 
flags  or  from  a  central  mission  computer  that  continually  interrogates  the  EEC 
status. 

One  feature  of  the  EAROM  fault  identification  system  is  the  detection  and  iso¬ 
lation  of  intermittent  faults  to  the  circuit  level  to  assist  maintenance  per¬ 
sonnel  in  fault  diagnostics. 


I 


3.2.3  Self  Test 

-Automatic  reversion  to  secondary  control  paths  requires  the  ability  to  determine 
that  a  failure  tias  occurred  in  a  primary  path.  The  RAEEC  baseline  provides 
self  test  techniques  which  detect  failures  and  switches  the  control  unit  to  an 
alternate  control  path  allowing  fail  operational  performance.  A  summary  of 
the  tests  performed  within  the  RAEEC  baseline  unit  is  shown  in  Table  3.  As 
indicated  in  this  Table,  some  of  the  tests  are  p  rformed  only  during  pre-flight 
ground  check  while  the  remainder  are  performed  in  flight  as  well.  The  pre¬ 
flight  ground  check  is  initiated  by  a  command  from  the  mission  computer,  with 
ground  check  continuing  until  signaled  by  the  mission  computer  to  enter  the 
flight  mode  of  control.  The  in-flight  tests  are  performed  on  a  continuous 
basis,  independent  of  any  externally  generated  command  signals.  A  detailed 
description  of  each  test  listed  in  Table  3  follows. 

3.2. 3.1  Input  Range  Limit  Test 

The  range  limit  test  is  a  software  BIT  for  detecting  a  failed  computer  input 
signal  caused  by  a  failure  in  the  sensor,  interconnecting  cable,  or  input  in¬ 
terface  circuit.  The  range  limit  test  is  sensitive  only  to  failures  (open  or 
short)  which  produce  hardover  signals.  The  range  test  program  compares  each 
input  signal  level  with  its  normal  operating  range  limits.  Failure  is  indi¬ 
cated  when  the  signal  level  exceeds  its  maximum  or  minimum  limits  for  a  given 
number  of  consecutive  program  cycles.  The  range  limit  test  program  also  gen¬ 
erates  a  digital  failure  status  word  indicating  an  input  signal  failure,  how¬ 
ever,  it  cannot  identify  the  Line  Replaceable  Unit  (LRU)  in  which  the  failure 
occurred,  and  can  only  indicate  that  the  failure  occurred  somewhere  in  the 
system.  The  control  system  is  switched  to  a  redundant  input  signal. 

3. 2. 3. 2  Parameter  Correlation  Check 

The  parameter  correlation  check  compares  redundant  parameter  data  words  to 
determine  if  their  difference  in  value  falls  within  outside  accuracy  bounds. 
"Failure"  in  one  of  the  two  parameters  is  indicated  when  the  accuracy  bounds 
are  exceeded  for  a  given  number  of  consecutive  program  cycles.  However,  the 
failed  parameter  channel  is  not  isolated  by  this  test  alone.  The  redundant 
parameter  data  may  be  generated  by  hardware  or  by  software  synthesis. 

3. 2. 3. 3  Parameter  Majority  Logic  Check 

This  is  a  comparison  of  triple  redundant  parameter  data  words  to  determine  if 
their  differences  in  value  fall  within  outside  accuracy  bounds.  Failure  in  one 
of  the  three  parameters  is  indicated  by  excessive  error  between  its  value  and 
that  of  the  other  two  good  parameters  for  a  given  number  of  consecutive  program 
cycles.  The  error  between  the  values  for  the  two  good  parameter  channels  is, 
of  course,  within  |;arameter  accuracy  limits.  The  failed  parameter  channel  is 


t 


31 


JiL^iijiin.u  . . k 


thereby  identifi'^d  by  this  test  which  generates  a  digital  failure  status  word 
indicating  the  tailed  parameter  channel;  however,  it  cannot  identify  the  LRU 
in  which  the  failure  occurred,  and  can  only  indicate  the  failure  occurred 
somewhere  in  the  system.  The  redundant  parameter  data  may  be  generated  either 
by  hardware  or  by  software  synthesis.  When  failure  is  detected,  the  control 
is  switched  to  a  redundant  input  channel. 

3. 2. 3. 4  Read  Only  Memory  (ROM)  Check 

The  memory  sum  test  is  a  software  BIT  for  detecting  a  failed  ROM,  The  test 
program  sums  each  ROM  location,  and  the  sum  total  must  equal  a  preset  value 
for  validity.  An  incorrect  sum  causes  the  program  to  recycle  on  the  test 
thereby  triggering  a  cycle  time  test  failure.  The  memory  sum  test  program 
also  generates  a  digital  failure  status  word  indicating  a  ROM  failure  occurring 
in  the  ECU,  The  control  system  is  switched  to  the  oackup  control, 

3.2.3. 5  Computer  Cycle  Time  Test 

Computer  cycle  time  is  a  hardware  BIT  for  detecting  a  hung  program.  This  test 
requires  the  completion  of  each  program  cycle  within  a  maximum  allowable  time. 

A  computer  power  on  reset  (POR)  results  when  program  cycle  time  exceeds  the 
timing  limit.  The  PGR  signal  reinitializes  the  program  once  and  also  generates 
a  digital  failure  status  word  indicating  a  hung  program  failure  occurrina  in 
the  ECU.  The  control  system  is  switched  to  the  secondary  control  when  the  test 
is  failed  on  the  next  cycle. 

3.2.3. 6  Output  Wraparound  Test 

Torque  motor/solenoid  outputs  are  electrically  fed  back  as  inputs  to  the  pro¬ 
cessor  for  a  check  by  the  software  to  detect  output  D/A  and  torque  motor/sole¬ 
noid  drive  circuit  failures.  Resultant  action  would  be  to  indicate  an  ECU 
failure  and  to  switch  control  to  a  redundant  output  channel. 

3. 2. 3. 7  Injected  Input  Test 

This  is  a  pre-flight  control  test  which  is  carried  out  on  the  ECU  after  engine 
start  but  prior  to  take  off  .  The  test  is  carried  out  under  the  control  of 
the  flight  computer  which  exercises  all  of  the  ECU  functions.  Failure  of  the 
ECU  to  properly  carry  out  each  function  is  detected  by  the  flight  computer. 
Resultant  action  would  be  to  indicate  an  LRU  failure  which  must  be  repaired  by 
an  unscheduled  "on  line"  service  before  the  mission  is  dispatched. 


3. 2. 3. 8  Canned  Output  Computation 

This  is  also  a  pre-flight  control  test  except  that  the  flight  computer  exer¬ 
cises  the  actuator  loops.  Failure  of  an  actuator  loop  to  respond  within  spec¬ 
ifications  to  programmed  commands  is  detected  by  the  flight  computer.  Result¬ 
ant  action  would  be  to  indicate  a  system  failure  which  must  be  repaired  by 
unscheduled  "on  line"  service  before  the  mission  is  dispatched. 

3. 2. 3. 9  Loop  Dynamic  Check 

The  control  loop  error  (command  value  minus  measured  value)  is  compared  against 
programmed  limits.  Failure  is  indicated  when  the  measut ed  error  exceeds  the 
programmed  error  for  a  given  number  of  consecutive  program  cycles.  The  loop 
dynamic  check  generates  a  digital  failure  status  word  indicating  a  failure  in 
the  control  loop,  but  cannot  alone  identify  in  which  LRU  the  failure  occurred. 
When  combined  with  the  parameter  correlation  check, the  two  tests  can  isolate 
the  failure  to  either  the  primary  or  backup  ECU,  ov  to  the  actuator. 

3.2.3.10  Reference  Signal  Check 

Input  signals  are  supplied  to  multiplexer  channels  at  preset  levels,  converted 
into  digital  data  words,  and  transmitted  to  the  CPU.  In  the  CPU  they  are  com¬ 
pared  to  reference  levels  stored  in  the  memory.  Failure  is  indicated  when  the 
reference  signal  data  word  exceeds  the  stored  references  for  a  given  number  of 
program  cycles.  The  reference  signal  test  program  generates  a  digital  failure 
status  word  indicating  an  input  channel  failure  occurring  in  the  ECU,  and 
switches  controls  to  a  redundant  input  channel. 

3.2.3.11  Power  Supply  Test 

The  purpose  of  this  test  is  to  monitor  the  supplies  for  in-tolerance  operation. 
The  power  supply  test  is  a  hardware  BIT  in  which  positive  and  negative  voltages 
are  continuously  compared  with  reference  voltage  levels.  A  failure  signal  is 
triggered  when  any  supply  voltage  exceeds  its  preset  tolerances.  A  failure 
signal  generates  a  digital  failure  status  word  indicating  power  supply  failure 
occurring  in  the  ECU.  The  control  system  is  automatically  switched  to  the 
secondary  control , 

3.2.3.12  Processor  Instruction  Test 

The  processor  instruction  test  is  a  software  BIT  for  detecting  a  failed  pro¬ 
cessor  hardware  instruction.  The  instruction  test  program  operates  on  each 
instruction  with  a  preset  data  word.  It  compares  tiie  data  word  at  the  end  of 
the  test  with  the  preset  data  word.  An  incorrect  answer  causes  the  program 


33 


to  recycle  on  test,  thereby  triggering  a  cycle  time  test  failure.  The  instruc¬ 
tion  test  program  also  generates  a  digital  failure  status  word  indicating  an 
instruction  failure  occurring  in  the  ECU,  The  control  system  is  switched  to 
the  secondary  control, 

3.2.3.13  Read/Write  (Scratch  Pad)  Memory  Check 

The  scratch  pad  test  is  a  software  BIT  for  detecting  a  failed  read/write  mem¬ 
ory.  The  scratch  pad  test  program  operates  on  each  read/write  memory  location 
with  a  preset  data  word.  The  data  word  is  entered  into  the  read/write  memory 
location  and  then  read  out.  The  output  data  word  is  then  compared  with  the 
preset  data  word.  An  incorrect  answer  causes  the  program  to  recycle  on  test 
triggering  a  cycle  time  test  failure.  The  scratch  pad  test  program  also  gen¬ 
erates  a  digital  failure  status  word  indicating  a  read/write  memory  failure 
occurring  in  the  ECU,  The  control  system  is  switched  to  the  secondary  control. 

3.2.3.14  End  of  Conversion  (EOC)  BIT  Not  Detected 

Failure  of  any  digital  converter  to  provide  the  processor  with  an  EOC  BIT  after 
a  preset  time  period  following  the  start  of  data  conversion  indicates  a  hang¬ 
up  and  therefore,  failed  digital  converter.  The  EOC  test  program  generates 
a  digital  failure  status  word  indicating  which  converter  failed  in  the  ECU, 
and  switching  the  control  to  a  redundant  converter, 

3.2.3.15  Hardware  Parity  and  Code  Verifier  Checks 

This  is  an  automatic  hardware  test  for  detecting  failure  in  the  Serial  Digital 
Data  Transmission  Link, 

3.2.3.16  Clock  Loss  Detect  Circuit 

This  is  a  hardware  test  which  automatically  detects  failure  in  either  of  the 
redundant  clock  oscillators  provided  for  the  processor  by  comparing  their  cycle 
time  period  with  the  timing  period  of  a  one  shot  multivibrator.  Failure  of 
either  oscillator  generates  a  digital  failure  status  word  indicating  a  clock 
failure  occurring  in  the  ECU.  The  control  switch  is  to  the  "good"  clock  for 
processor  timing. 

3.2.3.17  UART  Sync  Word  Detected 

This  is  an  automatic  hardware  test  of  the  UART  cross  talk  channel  providing 
communication  between  the  primary  and  backup  CPU.  If  the  UART  sync  word  is 
not  detected  by  the  receiving  channel  within  a  preset  maximum  time  from  the 
start  of  data  transmission,  a  digital  failure  status  word  is  generated  indi¬ 
cating  failure  of  the  UART  channel  in  the  ECU  and  flagging  a  maintenance  alert. 


34 


3.2.4  RAEEC  Final  System 

3.2.4. 1  Limitations  of  The  Baseline  System 

The  Advanced  Full  Authority  Digital  F.lectronic  Control  (FADEC)  design  study 
provided  the  baseline  system  for  the  RAEEC  program.  The  design  goal  of  FADEC 
was  to  implement  the  VCE  control  modes  delineated  in  Section  II  in  the  VCE 
environment  defined  in  Section  IV,  while  providing  high  mission  reliability. 
This  goal  is  achieved  by  providing  electrically  independent  primary  and  sec¬ 
ondary  channels  with  the  primary  fully  functional,  while  the  secondary  provides 
backup  for  "major"  functions  whose  loss  can  result  in  engine  shutdown.  Elec¬ 
tronic  functions  required  for  Core  Engine  Control  are  classified  "major"  since 
the  loss  of  Core  Engine  Control  requires  the  pilot  to  shutdown  the  engine. 

All  others  are  "minor"  since  their  loss  affects  engine  performance,  but  does 
not  require  shutdown.  Electronic  functions  required  for  Augmentor  Control 
only  are  classified  "minor"  since  the  loss  of  Augmentation  limits  the  pilot  to 
intermediate  power,  but  allows  him  to  safely  abort  the  mission.  For  this 
reason,  the  FADEC  (baseline)  system  secondary  channel  provides  backup  only  for 
core  engine  control . 

The  FADEC  ground  rule  for  fault  alerts  is  to  flag  every  failure  regardless  of 
its  effect  on  system  performance  and  safety,  i.e.,  FADEC  does  not  permit  de¬ 
ferred  maintenance  when  failures  occur. 

The  flagging  of  every  failure  in  a  system  as  complex  as  FADEC  results  in  main¬ 
tenance  MTBF  calculated  as  low  as  3039  hrs  (Section  3.3).  FADEC  achieves 
high  mission  reliability  at  the  cost  of  frequent  repairs  which  reduces  avail¬ 
ability. 

The  objective  of  the  RAEEC  program  is  to  achieve  25,000  hrs  maintenance  MTBF 
while  meeting  all  FADEC  design  goals  including  high  mission  reliability.  At 
present,  it  is  not  feasible  to  meet  such  a  stringent  requirement  by  improve¬ 
ments  in  device  reliability  alone  (i.e.,  single  channel  reliability).  Redun¬ 
dancy  Management  (RM)  techniques,  as  discussed  in  Section  3.3,  must  also  be 
employed  in  the  RAEEC  program  to  extend  maintenance  MTBF.  The  FADEC  ground 
rule,  requiring  every  failure  to  be  flagged,  is  incompatible  with  the  applica¬ 
tion  of  RM  techniques  for  the  improvement  of  maintenance  reliability.  The 
FINAL  RAEEC  system,  therefore,  employs  ground  rules  for  flagging  fault  alerts 
which  differ  from  FADEC  by  permitting  deferred  maintenance  for  failures  pro¬ 
viding  they  meet  the  following  conditions; 

a)  The  failure  must  not  cause  any  loss  or  curtailment  of  system  perform¬ 
ance. 


35 


b)  Mission  reliability  following  the  occurrence  of  the  failure  must  not 
be.  any  less  than  that  of  the  FADEC  (which  is  also  the  RAEEC  baseline) 
system,  i.e.,  a  second  like  failure  must  not  result  in  engine  shutdown. 

The  application  of  RAEEC  groundrules  for  flagging  fault  alerts  to  the  baseline 
system  described  in  Section  3.2.1  yields  only  an  insignificant  improvement  in 
maintenance  MTBF.  This  is  because  all  major  electronic  functions  are  limited 
to  dual  redundancy  while  most  minor  functions  are  nonredundant.  These  limita¬ 
tions  reflect  the  design  goals  cf  the  FADEC  system  which  is  used  as  the  base¬ 
line  for  the  RAEEC  program.  An  evaluation  of  Table  6  indicates  that  the  only 
major  function  that  need  not  be  flagged  for  a  first  failure  is  Nu  because 
parameter  synthesization  is  available  for  this  input  as  well  as  dual  redundant 
sensors. 

Similarly,  several  minor  functions  require  no  first  failure  alerts  because 
they  are  inputs  provided  with  dual  redundant  sensors.  This  analysis,  therefore, 
suggests  that  effective  use  of  RM  technique  for  enhancing  the  maintenance  re¬ 
liability  of  the  FINAL  RAEEC  system  requires  triple  redundancy  for  major  func¬ 
tions,  and  dual  redundancy  for  minor  functions.  Parameter  synthesis,  where 
available,  can  be  included  as  one  of  the  redundant  elements  (except  in  the 
case  of  TBT). 

3. 2, 4, 2  RAEEC  System  Design  Improvements 

The  application  of  RM  techniques  to  enhance  maintenance  reliability  provides 
the  major  impetus  for  the  RAEEC  final  system  design.  Also  significantly  im¬ 
pacting  system  design  is  the  application  of  "in-production"  LSI  devices  (such 
as  microcomputers)  capable  of  generating  higher  electronic  functions  on  a 
single  chip,  and  the  use  of  signaling  modes  such  as  "Pulse  Width  Modulation" 
(PWM)  for  output  control.  Both  techniques  substantially  improve  EEC  reliabil¬ 
ity  by  reducing  the  number  of  circuit  components,  circuit  complexity,  and  power 
dissipation. 

Utilization  of  the  above  techniques  for  improving  maintenance  reliability 
requires  substantial  changes  in  system  configuration  partitioning,  and  CPU 
architecture.  These  changes  are  reflected  in  the  simplified  block  diagram  for 
the  RAEEC  final  system  shown  in  Figure  11,  and  in  the  RAEEC  final  system  def¬ 
inition  given  in  Table  4.  Section  3.4  provides  a  detailed  description  of  the 
RAEEC  final  system  electrical  design. 


3C 


FIGURE  n  RAEEC  FINAL  SYSTEM  SIMPLIFIED  BLOCK  DIAGRAM 


TABLE  4  RAEEC  FINAL  SYSTEM  DEFINITION 


NCLDDED  IN: 
SECONDARY 

- 

St-^^5 

UoSl 

l- . c 

r—  r-f—  CVJ  r\JC\J^r"*i — 

NUMBER  I 
PRIMARY 

— 

it-r-CV.S 

UoSi 

u  ^  £ 

C\J  CSJ  CvJ  r—  r-*  r—  CNJ  CM 

w 

o 

4-* 

<T3 

C 

<U 


Q. 

Q. 


U 

OJ 

3 

o 

Ci- 


u 

TO 

TO 

TO  S 

01 

1 

o 

<u 

a> 

CJ  o 

cr> 

c 

4-> 

V. 

u 

u  ^ 

• 

s. 

OJ  OJ 

TO 

< 

< 

<  LU 

D. 

«o 

s.  w 

3  4L1 

E 

r— 

n— 

x: 

3  O 

4->  0) 

+-> 

0) 

<u  r— 

^3 

dj 

<o 

TO 

u 

cO  u- 

U  T— 

<u 

r—  Ol 

t— 

CJ 

4-> 

•r“ 

(/> 

l/t 

<  c 

N 

IM  3 

% 

i/t 

o 

4^ 

•r* 

OJ  ‘r* 

c 

N 

rs  Lu 

o 

IQ  3Y 

3 

1— 

c 

o 

u  o 

Ol 

l-H 

O 

O 

o  c 

• 

<0 

<A 

OJ 

D- 

c  o 

Z 

2  >^Ll. 

Q. 

4-» 

iO 

0) 

u 

0) 

0) 

OJ 

TO  C 

a; 

U 

"O  “O 

s  • 

o 

CJ 

OY 

01 

c: 

r—  OY 

c 

>  'r- 

c 

4-> 

4->  <0 

dj  c 

0)  Q.h- 

w 

w 

^- 

♦r- 

TO  S- 

TO 

-Q 

eft 

tft  B 

0) 

Q  *•“ 

H-  e 

d. 

<o 

«4- 

4-»  TO 

OJ 

> 

S- 

3 

3  T- 

3 

-o  10 

OJ 

4-» 

•»— 

L. 

O  -C 

O  3 

u 

TO 

TO  w 

Lu 

£ 

OJ  <u 

*o 

r-  »— 

<u 

o 

o 

3 

QJ  h-  U 

01 

4->  H- 

3 

-C  CL 

o  u 

cj  a* 

d) 

<0 

r— 

<o 

«/> 

h- 

S. 

t/>  0) 

c 

■o 

TO 

H- 

X 

K 

>, 

Si-  o 

o.  a. 

a* 

4-J  <U 

C 

4-> 

•1* 

CD 

3 

oj  ‘T-  i- 

cX. 

4->  OJ 

LiJ 

UJ  s. 

U 

U_  4-> 

CO  CO 

a. 

o  -o 

o 

o 

O' 

O 

t/> 

OYCJ  3 

3 

CO  S- 

O 

o 

TO 

TO 

CO 

^—  <o 

H- 

u 

u 

i/> 

U  A 

u 

o 

3 

U 

£ 

E  4-> 

T5 

^  C  1 

Q.  U 

u 

u 

«o 

3 

Ol 

TO  u  <o 

Ol 

U  eft 

3 

S  TO 

c 

<h  u 

E  O 

S- 

4->  CO 

o 

4i-> 

o 

Ol  .c 

o 

(/> 

S.  ^  O  O) 

> 

4-> 

O  tft 

eft 

dj 

OJ  U 

o 

<LI 

3  •*-» 

o 

dj 

o 

iA 

u 

u 

u 

iA 

Q- 

U  to  u 

0) 

Ol 

tft  <D 

eft 

u 

U  Ol 

C) 

r—  4_> 

d.  O 

4-» 

‘  OJ 

</> 

c/> 

3 

t/» 

3 

O) 

l/i  to  Ci. 

eft  U 

O) 

4-i 

-♦-»  c 

<u 

cd 

o 

cr  c 

Cl 

C 

<D 

iO 

•1“ 

u 

r-“ 

•  r-  QJ 

c 

Ol  CL 

U 

t/0 

CO  O 

CO 

Q 

c: 

►-4  ‘r* 

u 

W 

\A  O 

I/J 

a. 

.•a  o  u  >— 

w 

r— 4 

u 

<o 

a. 

CD 

-c 

CL 

O.  0) 

OJ 

Q.  TO 

Q> 

ci.x: 

m 

0) 

•U 

« 

</) 

1  S-  5  1 

1  c  u 

E 

1  c 

E 

c 

u 

O 

c  6 

1  ^ 

l: 

E  C>H- 

3: 

u 

u  eft 

CD 

1  3  ‘r- 

O  1 

1  ^0  3 

O 

1  m 

O  Q. 

TO 

Q. 

O  h- 

rO  C  4-> 

1  o 

TO 

o  •»“ 

cr 

o 

o 

3  T^ 

• 

1  1—  X 

^  1 

1  U-  H- 

o 

1  LU 

o 

u. 

U  O 

1  CL 

Ul 

O  X 

— t 

o 

O  <3 

CD 

T5 

<U 

a» 

QJ 

on 

V 

c 


c 

UJ 


^  ei-h-h- 


<i> 


<u 

|oj  h-  c\j 
CO  fsi  </» 
<X> 

o. 


|C\J  CO 

fc  t 


Cu 


O 

m  oo 

•r* 

< 

Q-  CO 

LiO 

»—  CL 

4-» 

=t  CJ  =» 

^  LU  O  LU  UJ 

H- 

1— 

_j  (— 1 1/)  ^ 

^  Lu  U 

O. 

Q. 

tft 

TO 

3.  U.  O  < 

<  <  <  :a  3. 

OJ  1 

r-  tft 

u 

eft 

U 

1  -r- 

o>  c 

CD  £ 

r— 

U  C 

TO 

cn 

C  ^o 

U  +-* 

«o 

0)  o 

c 

•I-  L- 

3  •- 

3 

r-  U 

CD 

•n- 

CO 

c 

•1“ 

tft 

</>  h- 

-3  3 

O 

UJ  -M 

</> 

4->  a> 
3  U 
O-  O 

c  ^ 


a;  Of  I  r- 

w  L.  I  c  c  o 
o  o  c  T-  o  u 

U.  O  UJ  o^o  4-> 


38 


NUMBER  INCLUDED  IN; 


'  '  '  '  ^ 

• — 1  III)  ■ — 1 


cn 

t/> 

0) 

a> 

u 

o 

o 

O 

o 

4-> 

4-> 

4-> 

ro 

u 

3: 

% 

</> 

t/> 

0) 

o 

o 

o 

•r« 

•r~ 

4-> 

o 

O 

0) 

Lu 

Lu 

Li- 

C3 

00 

0) 

O) 

0) 

0> 

CJ 

(4- 

3 

3 

3 

JH 

o 

Lu 

Lu 

Lu 

i/l  rO 

(Vi 

»“  C 

c 

+-> 

U 

U 

S- 

O  LU 

LU 

O  X 

O 

o 

o 

0) 

LU  cr» 

4-) 

4-> 

4-» 

.C  -C  o 

x: 

UJ  T- 

c 

C 

c 

a>  3  u  LU 

u 

OJ 

O) 

<D 

U  4-> 

LU 

4-> 

>> 

i> 

i. 

& 

•r-  C  ‘r- 

Uu  O  3: 

•r“ 

<3  o 

3  > 

r— 

3 

csj  3  m 

w 

•o  -fj 

< 

< 

4U  U> 

c  c 

<u 

<D  O 

o>  x:  4-> 

E 

4U 

o  o 

+-) 

c 

4-» 

C  4->  C 

^  o>  o 

•r» 

O 

u  E 

u 

o 

U 

O  O  O  1 

f  1  1 

till 

1  ij 

L- 

OJ  cn 

3  M 

3  M  3  M  1 

1  1  1 

till 

1  o  0)  ‘r- 

Q. 

(/)  3 

a 

O  1 

1  1  1 

till 

1  o:  :z  cu 

Ou 

< 

ccccccccc 

ooocooooo 

O  ’f  •»“  'r- 

■^3  "f”  ‘r*  T—  'r~  T—  "f*  ‘r— 

0)00000000 
Q.Q-Q_Q_CuQ_Q>a-  Q, 
t/^ 

0.00000000 


TABLE  4  RAEEC  FINAL  SYSTEM  DEFINITION  (Continued) 


o 

L  5l 

CMCMr-  f—  r-  r—  ^ 

TIT 

L 

L 

0 

L 

0 

o 

5j 

ru«—  »—  C'O  »—  r-  r—  P-  W- ^ 

i-  o  -  o  ^  3 

c  c  c 
o  o  o 


(/I  C/>  t/I 

o  o  o 

0.0-0. 

s-  s-  s- 
o  o  o 

Lu  Lu  U- 

i/> 

(T3 

D  CU  CU 

i  §  §  * 

<T3  I 
to  CO  I 


1 

o 

E 

•+- 

4- 

4- 

u 

*3 

LU 

a; 

U- 

4- 

4- 

m 

C 

LU 

4-> 

o 

O 

O 

£ 

o 

U3 

4-} 

4-> 

■M 

•r* 

u 

>» 

03 

>>Q- 

o 

3 

3 

3 

U. 

O) 

U 

TJ 

l/>  CO 

r— * 

.C 

x: 

o. 

t/*> 

03 

c: 

< 

Lu 

t/1 

CO 

oo 

e 

o 

to 

CO 

u 

o  c 

5 

5 

0) 

q; 

s- 

0) 

i-  o 

<U 

O 

o 

o 

4-> 

u-> 

o. 

c/^ 

4-> 

3 

p— 

<T3 

<t} 

C  -O 

Lu 

Lu 

Lu 

Uu 

U 

u 

CO 

to 

O  0) 

•r- 

a> 

(U 

“O 

“O 

■o 

•u> 

•u> 

OJ 

U 

0) 

0) 

o 

c 

c 

<D 

03 

03 

u 

QJ 

3 

3 

3 

t— t 

»— « 

r— 

U 

o 

03  O 

e 

>  Lu 

Lu 

Lu 

X 

•  f— 

♦r* 

C  — J 

CLT3 

Q. 

03 

“D 

■o 

o 

u 

r— 

CM 

ro 

e  oj 

e 

C 

C 

c 

•1“  CT> 

O- 

> 

(T5  •— 

03 

LU 

t-H 

*—«  4-> 

4->  03 

<D 

0) 

cu 

-J  X 

03  f— 

•  4- 

C 

C 

c 

03 

o 

cn 

Oi  3 

U  Lu 

C 

4- 

o 

o 

o 

•u  c 

4-^ 

LU 

fO 

03  03 

a> 

QJ  OhsI  Q^rviOJrxJ  0) 

o  >  -  >  •  > 

3  ^  r—  ^  4->  r— 

I  </>x:u»owfOora  I 
I  ^O035»32>3>  I 


Q. 

(.J 

I  U  LU 
I  O  UJ 

»  o 


CX  Lu  ^ 

>,  3 

U  U  3  n3 

o  'ti  oi  u- 

O  _l 


^  Uu  0.4-> 
Lu  O  r— 
O  I  3 
O  LU  c  ns 
0^  LU  O  LU 


•r“ 

[+J  -r-  1/1  (D  UU 

1—  CNj  ro  o 

l_CTI3a.  r—  <M  n  E'^ 

O  O  (3  c 

nSnjWuJ  Q  Q  Q  Oiio 

Lu  Uu  Lu  C.) 

Lu>-tJJ=U_  U-  U.  U.  30. 

3:  3  3  •— 

3  3  3  3  <CE 

o 

r  ® 

>>-3  r— 

U  0>  3 
rtj  .C  rj 
“3  U  U- 
C  -M 
O  ^  LO 
U  _l  LJ 
a>  •*— 'o 

in  2 


TABLE  4  RAEEC  FINAL  SYSTEM  DEFINITION  (Continued) 


03 

u 

1 

a> 

O) 

o 

1 

u 

i~  c 

4-> 

<D 

<D 

=£  C  O 

to 

U1 

4-» 

•r— 

3 

4- 

CL 

E 

<3J 

<U 

4-> 

O  4-> 

+-» 

4- 

E 

•a 

O) 

o 

O 

l/V 

&. 

c 

N 

c 

M  «/>  tf 

CT 

N 

c 

NI  O 

c  o 

o 

O 

O 

t— » 

o  o. 

a> 

o  s- 

r- “ 

*r™ 

u 

<u 

z 

c 

4d 

Lu 

c 

Cu 

u 

c 

(U 

O) 

4- 

TO  C 

ZD 

4-) 

■  P“ 

c 

4-»  c  >• 

O 

a>  o 

r“ 

s 

</) 

(/> 

•r— 

1/1  to 

0)  o 

a; 

S- 

.u 

•r“ 

3 

s- 

3  > 

t. 

C 

3 

o 

c 

S- 

O 

3 

w 

03 

o 

O  CQ  T3 

Li. 

c 

Q. 

h~ 

3 

-c  <u 

0) 

CO 

^0 

LI. 

X 

1— 

K  “O 

03 

"O 

0)  03 

W 

<U 

&. 

Ld 

O) 

LiJ 

4-> 

a> 

L>  O. 

o 

<J 

o 

O 

f— “ 

s- 

<U 

3 

OO 

OJ 

C  0^ 

-M 

o 

0) 

P 

3 

u 

E  CO 

03 

c 

s- 

o 

nj 

3 

?6 

CO 

3 

03 

S. 

CO 

*—  Q. 

O) 

Q. 

LiJ 

u 

U. 

<D 

CO 

00 

<1>  4-> 

o 

c 

03  E 

g, 

LlJ 

<v 

J- 

<V 

c/> 

S-  O) 

CO 

c 

OYCO  3 

r™ 

c 

>^4-» 

U 

0) 

CO 

•r- 

c 

O. 

3 

t/) 

OJ 

00 

Q. 

00  C 

QJ 

4d 

•r“ 

4-i 

cC 

L. 

4-> 

CD 

<T3 

cv 

•r“ 

4-> 

d  O 

4-“ 

c 

•o 

O 

0)  f 

w 

CL 

CO 

u 

3  X5 

4.> 

c 

1  i/I 

c 

u 

3* 

u  c 

P 

O 

03 

u  u 

u 

cu 

E 

1 

O 

o  c 

tfm. 

< 

O 

3  fO 

o 

Q- 

4-» 

X  3 

3 

o 

(  o 

o 

X 

^  c.  u. 

Cd 

l/^  (-  K- 

O 

00 

o 

Ll. 

X 

a; 

(j 

o9 

c 

c/3 

“O  03 

m 

LU 

03  r- 

CO 

Ll. 

03  03 

o 

3 

f—  CO 

Lu 

o3 

CO 

3 

4-> 

5» 

4->  CO 

a. 

S-  3 

LU 

LU 

<—  o  o 

03  S- 

(/>  o 

u. 

T)  •— 1  lo 

4->  ^ 

Q- 

Li. 

1  zst 

1 

1 

< 

< 

<  <  U.  (_) 

1/5  h-  t— 

3 

<V 

6  <u  o 
^  c  s- 

•r-  4-^ 

i-  CD  C 
O  C  O 
U.  LU 


•  •  T3  CD 

c  o  o;  c 

s. 

O  i/I 

c 

•1-  X  fNi 

4-> 

4->  o;  •*-  ^ 

c 

OJ  L.  CO  CO  CO 

a; 

fsj  3  a>  OD  i- 

E 

•f-  CJl  >  ^  O) 

CDi— 

</»  r-  L.  4->  4.) 

3  O 

QJ  Li_  3  c  a.‘ 

<  u 

x:  <_)  >^  E 

+J  CJ  i/)  (tj 

w  c: 

c  at  s_  i. 

o  o 

>>  «/)  o  c  o> 

Li-  O 

C/)  ’^Li.  O- 

TABLE  4  RAEEC  FINAL  SYSTEM  DEFINITION  (Continued) 


42 


i 


TABLE  4  RAEEC  FINAL  SYSTEM  DEFINITION  (Continued) 


1 

*  o 

4->  c 

<u 

CO  t/^  4-3 

•r“  'r- 

x: 

1  <U  3  r- 

3  — 1 

4-3 

<1> 

«/>  C  +->  O  O 

‘4- 

c 

W  1- 

•p-  •r-  <T5  L-  LbJ 

“C 

O 

>5 

O 

Q  e  +4  LU 

1 

OJ  4-i 

-o 

to 

Li.  i 

J-  CO  c 

OJ 

c  »t: 

c 

OJ 

T3 

4->  <u  O  *• 

•/“  o 

o 

1. 

Q.  V. 

r—  4->  Q><_)  QJ 

-Q 

u 

c 

OJ 

3  fO 

3  <U  C  > 

{/t 

S  wi 

OJ 

4-3 

^  3: 

ro  O  i/)  •#— 

3 

O  <JJ  oo 

OJ 

u 

LI.  4-3  03  4-3 

O 

(-J  TD 

u 

fO 

o  <0  x:  ^ 

o 

c 

•r“ 

TD 

s. 

3  <TS 

CO  • 

.C  LU  ^  U  S. 

►—1 

o 

^  > 

c 

OJ 

U  4J 

s: 

4-»  LU  OJ  4-3  0> 

h- 

cu  O  <C 

/a  fT3 

OJ  ct 

•(“  Q.T-  Q. 

-!->  S- 

c 

Q.  O 

s-  ce 

3  JC  o  i  o 

.  ^ 

o 

4->  Q- 

>1 

U  CO  c 

c 

*4-> 

2  -M 

*0  n  CA  >— 4  • 

U- 

>1  E  s: 

<U  4-  r— 

*o  u 

01  UJ  -  >1  o 

laJ 

t 

-C 

3  3 

i-  o 

•<—  r—  <—  •*LiJ 

Q 

< 

c  Qc: 

f— 

CL 

<0  il. 

1—  e  O)  <—  T3  UJ 

s- 

4-3  LL- 

□r 

CL  O  C  ^  CJ 

S-  «M 

O- 

s- 

3 

Cl  t-  C  U  f—  0> 

(—  i. 

o  o  -a 

VI 

3  Lt-  <0  T-  ‘f  > 

o 

c: 

Lu 

C 

OJ  3  CO  ^  4->  n3  -r* 

U 

5«  CU 

OJ 

^<t: 

T3  O 

CA  o  rt3  lu  -*-3 

OJ 

OJ 

GJ 

</l 

4-3 

U  OJ  B 

> 

>  ^ 

2 

• 

3  • 

>  h- 

•»-  4->  x:  o  E  j- 

•r-  <0 

4-> 

ZD 

Q.  (/) 

o  or 

0>  OJ  U  4->  O  QJ 

c. 

<V  3 

OJ  Q. 

C  *t- 

i.  <« 

O  S-  n)  3  i.  a. 

=> 

u  a 

GO 

O 

«  </> 

a.rD_j  ouj<u.o 

R-"' 


3. 2. 4. 3  Design  Implementation 

The  RAEEC  final  system  design  features  a  dual  redundant  channel  architecture 
with  several  distinctive  characteristics  as  contrasted  with  a  classical  duplex 
system  with  one  unit  in  standby. 

Each  channel  in  the  RAEEC  final  system  is  capable  of  independent  operation,  or 
"stand  alone",  because  each  channel  has  a  full  complement  of  sensor  inputs,  a 
computer  and  a  full  complement  of  function  drive  outputs.  The  computers  are 
operated  asynchronously.  In  addition,  each  channel  has  its  own  power  systsi 
supplied  by  separate  alternator  windings.  The  two  channels  are  also  indepen¬ 
dent  in  that  a  failure  in  one  channel  cannot  cause  a  failure  in  the  other. 

Both  channels  are  programmed  to  provide  identical  control  modes,  parameter 
synthesization,  and  self  test  routines. 

Both  channels  are  operated  continuously  to  perform  the  in-line  monitoring 
function  for  channel  fault  coverage  and  the  cross-channel  fault  coverage  func¬ 
tion. 

The  cross-channel  monitoring  coverage  is  provided  by  having  the  primary  and 
secondary  channels  communicate  continuously  with  eaoh  other.  This  channel 
communication  is  accomplished  by  a  Universal  Asynchronous  Receiver-Transmitter 
(UART).  The  UART  is  implemented  to  allow  the  primrry  channel  and  the  secondary 
channel  to  address  nd  read  a  dedicated  portion  "  'he  opposing  channel  RAM, 
However,  only  the  channel  where  the  RAM  is  phys’.  y  located  may  write  into 
its  own  RAM.  This  design  feature  retains  the  integrity  of  the  data  in  each 
RAM  in  the  event  of  a  fault  in  the  other  channel. 

The  UART-RAM  communication  provides  an  effective  input  sensor  redundancy  path 
while  still  maintaining  channel  independence  from  faults  in  the  other  channel. 
For  example,  if  the  primary  channel  PT2  pressure  sensor  input  signal  fails  and 
the  secondary  PT2  pressure  sensor  input  sign‘1  is  still  good,  the  primary  chan¬ 
nel  processor  can  interrogate  the  secondary  channel  for  the  PT2  data.  Upon 
receiving  the  proper  data,  the  primary  char  ’  continues  to  process  the  data 
and  retain  control  of  its  output  functions,  ne  input  sensor  is  used  in  this 
example  but  the  process  can  be  applied  to  ul  input  sensors. 

In  addition  to  the  RAEEC  final  system  circuit  redundancy  and  the  UART-RAM  data 
communication,  a  study  was  conducted  to  evaluate  the  possibility  of  using 
synthesized  input  sensor  data  in  the  event  of  faults  with  two  like  sensor  in¬ 
put  signals.  The  study  indicated  that  eight  input  sensors  could  be  synthesized 
in  each  channel  by  using  data  from  other  sensors  and  the  schedules  (Figure 
10)  stored  in  the  processor  memory.  The  functions  which  can  be  synthesized  in 
each  channel  are: 


(1)  Speed,  NH 

(2)  Temperature,  TBT  avg. 

(3)  Temperature,  TBT  peak 

(4)  Temperature,  T22 

(5)  Pressure,  PT2 

(6)  Pressure,  PT3 

(7)  Pressure,  PT13 

(8)  Pressure,  P3 


The  accuracy  of  the  data  produced  by  the  synthesization  process  is  sufficient 
to  be  used  for  majority  voting  and  also  permits  the  pilot  to  safely  abort  the 
mission  if  both  sensor  input  signals  fail. 

Uith  data  available  from  two  sensor  input  signals  (hardware)  and  similar  data 
from  two  synthesi zations  (software)  also  available,  the  combination  provides 
for  an  effective  4-way  majority  voting  scheme  for  perfect  coverage  of  a  fault 
in  one  sensor  input  signal.  When  one  of  the  redundant  input  sensor  signals 
has  already  failed,  the  synthesis  still  provides  for  a  3-way  majority  voting 
scheme  for  perfect  coverage  of  the  remaining  sensor  signal. 

By  means  of  the  RM  techniques  and  design  features  described  in  Section  3.3,  a 
dual  channel  engine  control  with  additional  selective  redundancy  in  one  channel 
can  be  developed  for  fault  tolerant  operation  with  excellent  coverage  for  first 
and  second  failures.  This  type  of  redundant  operation  allows  the  engine  control 
to  operate  at  full  performance  and  mission  reliability  with  several  dissimilar 
failures  in  the  two  channels.  In  many  cases,  the  redundancy  in  the  system 
also  allows  deferment  of  immediate  maintenance  actions  to  a  later  time  without 
compromising  effective  engine  control  performance  or  mission  reliability. 

Since  each  system  is  capable  of  providing  all  engine  control  functions,  it  is 
desirable  that  a  decision  be  validated  as  to  which  system  should  be  in  control 
at  any  given  time.  As  in  the  baseline  system,  a  third  processor  would  be  un¬ 
justifiable  to  perform  just  this  function  of  a  third  intelligence,  or  voter. 
Therefore,  a  hardwired  logic  approach  is  used. 

Selected  fault  discretes  are  hardwired  between  the  two  system  processors  to 
allow  the  status  of  each  system  to  do  transmitted  to  the  other  processor.  This 
system  operates  even  though  two-way  communication  through  the  UART-RAM  link  is 


45 


inadvertently  interrupted.  The  failure  discretes  provide  up  to  eight  states 
of  fault  information  to  be  transmitted  to  the  opposite  control  system  so  that 
a  decision  regarding  which  system  should  control  the  engine  can  be  made.  The 
three  fault  discretes  for  the  two  systems  are; 

(1)  Power  Supply  Condition  (Power  On  Reset  -  POR) 

(2)  Condition  of  Processor  and  1/0  (System  ON) 

(3)  Pilot  Enable  Command  (Manual  Enable  Switch) 

Based  upon  these  six  signals,  or  condition  monitors,  a  decision  is  made  as  to 
which  control  is  most  capable  of  running  the  engine. 

The  output  drivers  of  the  two  systems  are  interlocked  so  that  only  one  system 
can  control  at  a  time.  In  no  case  can  both  systems  be  enabled  to  attempt  sim¬ 
ultaneous  control.  An  additional  design  feature  allows  individual  output  loops 
to  be  switched  in  or  out  in  the  event  of  less  significant  system  failures  pro¬ 
vided  the  DART-RAM  link  is  operative.  Thus,  maximum  control  flexibility  is 
provided  to  respond  to  all  failure  situations. 

3. 2. 4. 4  Quasi-Redundant  Pressure  Sensors 

The  FINAL  RAEEC  system  configuration  provides  for  fully  redundant  dual  control 
channels  and  therefore,  would  theoretically  require  twelve  single  pressure 
sensors.  However,  twelve  pressure  sensors  per  control  is  not  considered  viable 
because  of  excessive  size,  weight,  and  cost.  A  trade  off  study  of  alternative 
pressure  sensor  configurations  was  carried  out  to  determine  if  it  is  feasible 
to  replace  the  twelve  single  pressure  sensors  with  six  quasi -redundant  pressure 
sensor  packages  without  significantly  degrading  RAEEC  reliability.  A  quasi- 
redundant  pressure  sensor  is  characterized  by  a  single  (nonredundant)  trans¬ 
ducer  assembly,  with  all  or  some  of  its  electrical  components  redundant.  The 
results  of  this  analysis  indicate  that  the  most  feasible  configuration  appears 
to  be  a  pressure  sensor  with  single  cylinder  and  coils,  but  provided  with  dual 
redundant  (parallel)  oscillator  circuits,  PROHs,  temperature  sensors,  and  in¬ 
terface  electronics. 

Figure  12  is  a  block  diagram  of  the  selected  quasi-redundant  pressure  sensor- 
configuration.  Separate  temperature  sensor  diodes,  PROMs,  and  pressure  sensor 
output  frequency  signals  are  supplied  to  the  primary  and  secondary  channels. 
Primary  and  secondary  components  are  independently  excited  by  the  primary  and 
secondary  power  supplies  respectively.  The  output  signals  from  the  pressure 
sensor  components  dedicated  to  the  primary  or-  secondary  channel  are  converted 
to  digital  data  words  by  the  associated  interface  electronics  and  supplied  to 
the  channel  CPU  for  compensation,  self  test,  and  control  mode  computation.  It 
should  be  noted  that  the  temperature  sensing  diode  and  PROM  for  each  channel 
are  matched  to  minimize  errors  due  to  temperature  drift. 


46 


The  baseline  RAEEC  self  test  routines  are  capable  of  detecting  failures  in  the 
quasi-redundant  pressure  sensor.  A  fault  which  occurs  in  one  channel  but  not  the 
other  will  cause  the  RAEEC  software  to  reject  the  pressure  input  data  word 
from  the  failed  channel,  and  continue  computing  with  the  input  data  word  from 
the  "good"  channel;  no  hardware  enable/disable  switching  is  required.  This 
type  of  fault  is  processed  as  a  first  failure  and,  therefore,  "maintenance 
alert"  is  not  signaled.  A  common  mode  fault,  failing  both  channels  identi¬ 
cally,  is  detected  either  by  input  range  limit  testing  or  by  a  parameter  major¬ 
ity  logic  check  involving  the  average  of  both  channel  inputs,  the  pressure 
data  word  synthesized  by  the  primary  CPU,  and  the  pressure  data  word  synthe¬ 
sized  by  the  secondary  CPU.  Common  mode  faults  are  processed  the  same  as 
second  like  failures  signaling  "maintenance  alert". 

3.3  System  Reliability  Evaluation 

3.3.1  Concepts 

There  are  two  methodologies  concerning  the  reliability  requirements  for  com¬ 
plex  electronic  engine  controls.  One  approach  is  absolute  in  that  a  system 
works  or  it  doesn't  and  a  critical  system  failure  is  intolerable.  The  other 
approach  is  less  severe  in  that  a  system  must  be  tolerant  towards  single  and 
multiple  failures,  but  the  system  must  not  go  down.  There  exists  a  middle 
ground  between  the  absolute  concept  and  the  fault  tolerant  concept  for  present 
high  reliability  systems.  The  optimum  approach  for  reliability  attainment  is 
to  incorporate  the  best  features  of  both  methods.  This  study  addresses  the 
ways  to  increase  the  hardware  reliability  and  to  optimize  the  system  configur¬ 
ation  through  redundancy. 

The  fault  tolerant  concept  extends  the  period  of  trouble-free  life  and  thus 
increases  system  availability.  Fault  tolerant  systems  do  not  eliminate  the 
need  for  maintenance  but  they  can  reduce  the  frequency  of  unscheduled  mainten¬ 
ance.  These  goals  can  be  reached  without  significant  sacrifice  of  inherent 
flight  safety  requirements.  The  design  goal  is  to  keep  the  system  operational 
in  spite  of  single  and  multiple  hardware  failures.  As  conceded  earlier,  fail¬ 
ures  can  and  will  occur  in  any  system.  The  problems  are:  What  will  happen 
and  what  can  be  done  about  it?  As  stated  by  Wulf  (Reference  1),  it  is  much 
more  important  to  recover  from  failures  than  to  prevent  them  since  perfect 
reliability  is  not  attainable. 


The  recovery  concept  cannot  be  precisely  defined  for  all  systems  and  designs. 
Recovery  is  most  generally  described  as  detecting,  locating  and  automatically 
recovering  from  a  hardware  failure.  Most  reliability  modeling  assumes  perfect 
detection  and  recovery  from  failures  (Reference  2).  Less-than-perfect  detec¬ 
tion  and  recovery  from  failures  is  defined  by  the  concept  of  coverage  (refer¬ 
ence  3).  Coverage  C  is  the  conditional  probability  that,  given  the 


existence  of  a  failure  in  the  operational  system,  the  system  is  able  to  re¬ 
cover  and  continue  operation  with  no  permanent  loss  of  function.  That  is, 

C  =  Pr  (System  recovers/System  fails).  Therefore,  reliability  models  must 
include  coverage  of  failures  as  a  design  parameter. 

The  calculation  of  coverage  values  for  each  function  is  based  upon  the  defin¬ 
ition  for  system  coverage.  In  the  advanced  system,  coverage  includes  only 
those  failure  modes  which  degrade  functional  performance  or  coverage  itself. 
Single  failures  having  no  effect  on  system  operation,  and  not  reducing  the 
level  of  coverage  for  those  failures  which  do  degrade  system  performance,  are 
called  "non-functional"  failure  modes.  The  failure  rates  (XNF)  associated 
with  non-functional  failure  modes  are  subtracted  from  the  total  failure  rate 
(XT)  for  the  function.  The  remainder  is  the  functional  failure  rate  (XF). 

XF  is  therefore  the  sum  of  all  failure  modes  which  degrade  performance  and 
coverage.  Functional  failure  modes  which  are  undetectable  by  the  in-flight 
BIT  routines  or  cannot  be  isolated  to  one  of  the  redundant  elements,  or  cannot 
be  repaired  in  flight,  are  called  "uncovered".  The  sum  of  the  failure  rates 
associated  with  "uncovered"  failure  modes  is  called  the  uncovered  failure 
rate  (Xu). 

The  coverage  value  (C)  for  each  system  function  is  the  part  of  its  functional 
failure  rate  (X  F)  derived  from  functional  failure  modes  compatible  with  the 
requirements  for  coverage,  i.e., 

C  =  X  F  -  X  u  =  1  -  Xu/X  F  =  1  -  Xu 

rr“ 

The  coverage  concept  has  introduced  the  idea  of  RM  (Refe**ence  4).  The 
process  of  RM  is  directed  at  improving  the  coverage  of  failures  with  the 
purpose  of  making  systems  fault  tolerant.  As  such,  the  goals  of  RM  are 
synonymous  with  those  of  coverage  in  reliability  modeling  of  system  designs. 


The  basic  reliability  goals  are  modified  when  coverage  of  failures  is  consid¬ 
ered  as  a  system  parameter.  These  specific  reliability  goals  are  stated  as 
fol lows: 

(1)  The  ability  to  detect  (almost)  any  failure  in  the  system. 

(2)  The  ability  to  limit  any  system  damage  caused  by  a  failure. 

(3)  The  ability  to  make  failures  transparent  to  system  operation. 

(4)  If  unable  to  make  failures  transparent; 


49 


(a)  The  ability  to  place  the  system  in  a  consistent  state  so  that 
recovery  is  possible  and 

(b)  The  ability  to  report  the  failure  to  a  higher  level  which  can 
direct  an  intelligent  system  recovery  thus  making  the  failure 
transparent  at  higher  levels. 


The  major  contemporary  redundancy  techniques  for  developing  fault  tolerant 
systems  are: 

!•  Shannon-Moore  method  (Reference  5). 

2.  Tryon  method  (Reference  6). 

3.  Von  Neumann  method  (Reference  7). 

Standby  Redundancy (R^f erence  8). 


Of  these  four  methods,  the  standby  redundancy  method  is  perhaps 
and  has  been  used  for  a  long  time.  A  system  is  configured  with 
operating  and  one  or  more  subsystems  "standing  by"  to  take  over 
a  fault  is  detected  in  the  controlling  subsystem.  Depending  on 
standby  units  available,  the  above  operation  is  continued  until 
standby  unit  has  failed. 


the  most  basic 
one  subsystem 
operations  if 
the  number  of 
the  last 


The  Von  Neumann  method  which  uses  at  least  triple  redundancy  provides  for 
majority  voting  logic  and  encourages  continuous  subsystem  division  and  unit 
cross-strapping.  With  the  advances  in  microelectronics,  this  method  is  most 
popular  today. 


The  advanced  system  goals  in  this  study  were  best  satisfied  by  a  combination 
of  selective  active  standby  redundancy  and  triplicate  majority  voting  between 
the  system  channels. 

3.3.2  Baseline  System 

3. 3. 2.1  Failure  Effects 


The  baseline  system  shown  in  Figure  13  has  secondary  standby  redundancy  for 
engine  critical  functions  that  can  affect  flight  safety.  As  such,  the  main¬ 
tenance  MTBF  of  3039  hours  is,  by  definition,  a  series  summation  of  the  fail¬ 
ure  rates  so  that  repair  actions  are  taken  immediately  to  restore  a  high  prob¬ 
ability  of  flight  safety.  This  system  therefore,  reflects  a  high  repair  rate 
which  reduces  its  availability.  In  other  words,  maintenance  and  availability 
are  sacrificed  for  flight  safety.  The  effects  of  failures  in  this  system  are 
summarized  in  Table  5. 


50 


FIGURE  13  BASELINE  SYSTEM  RELIABILITY  BLOCK  DIAGRAM 


TABLE  5  FAILURE  EFFECTS-BASELINE  SYSTEM 
Major  Function  (Gas  Generator  Associated) 


EVENT 

MODE 

PILOT  ALERT 

MAINT  ALERT 

First  Failure 

Use  Second 
Channel 

Yes 

Yes 

Second  Fai lure 

Abort/ 

Shutdown 

Yes 

Yes 

Minor 

Function  (Augmentor  Associated) 

EVENT 

MODE 

PILOT  ALERT 

MAINT  ALERT 

First  Failure 

Abort 

Yes 

Yes 

A  summary  of  the  effect  of  successive  like  failures  on  engine  performance  for 
the  baseline  system  is  shown  in  Table  5.  A  second  failure  for  the  gas  genera¬ 
tor  associated  functions  causes  an  engine  shutdown  or  a  mission  abort.  These 
functions  are  redundant  in  the  baseline  configuration.  The  augmentor  associated 
functions  cause  a  mission  abort  because  they  are  simplex  in  the  baseline  con¬ 
figuration. 

3.3.2. 2  Detail  Failure  Rate  Sources 

The  rates  for  the  various  components  are  derived  from  over  250,000  hours  field 
operating  experience  with  an  existing  engine-mounted  electronic  fuel  control. 

To  compensate  for  the  projected  environment  of  the  RAEEC  system  as  compared  to 
the  JFC  90  environment,  the  techniques  and  adjustment  factors  set  forth  in  MIL- 
HDEK-217B  were  used.  The  main  factors  used  for  this  compensation  were  ambient 
temperature  and  component  complexity. 

i  he  failure  rates  shown  in  Figure  13  are  applied  consistently  in  all  of  the 
reliability  models  discussed  later  in  this  report.  That  is,  the  total  failure 
rate  for  a  module  or  a  system  only  changes  by  adding  to  or  subtracting  from  the 
parts  count  because  of  design  changes. 


52 


The  parts  failure  rate  summations  for  the  various  functions  displayed  in  the 
models  were  rounded  to  simplify  the  many  computations  and  to  avoid  a  certain 
amount  of  "noise"  in  comparing  values  containing  2  or  3  decimals.  Rounding 
up  dominated  over  rounding  down  by  using  0.4  rather  than  0.5  as  a  dividing 
point  to  assure  slightly  pessimistic  total  values. 

3.3.3  Reliability  Groundrules 

To  balance  the  mission  safety  and  availability,  the  following  groundrules  were 
established  for  the  advanced  system: 

(1)  A  completely  failed  channel  must  be  identified  to  the  crew.  The  pur¬ 
pose  of  this  requirement  is  to  enable  the  crew  to  identify  a  failed 
channel  to  (a)  effect  a  repair  before  take  off,  or  (b)  abort  the 
mission  in  flight,  or  (c)  indicate  during  a  mission  that  an  engine 
shutdown  can  be  irnminenl. 

(2)  A  warning  is  communicated  to  the  crew  when  one  additional  like  fault 
of  a  major  function  will  cause  a  mission  abort  or  an  engine  shutdown 
(catastrophic  for  single  engine  aircraft). 

The  purpose  of  this  requirement  is  to  decrease  the  failure  likelihood 
of  complete  loss  of  engine  control.  This  warning  enables  the  crew  to 
take  appropriate  action  during  flight  based  on  complete  knowledge  of 
present  and  future  system  status. 

(3)  A  warning  is  communicated  to  the  crew  when  a  minor  function  has  com¬ 
pletely  failed  and  there  is  a  minor  effect  on  engine  control  opera¬ 
tions. 

The  purpose  of  this  requirement  is  to  alert  the  crew  that  (a)  full 
engine  performance  is  not  available  and  (b)  the  augmentation  function 
is  not  available  if  needed, 

(4)  A  Maintenance  Alert  is  flagged  when  one  additional  like  fault  of  a 
major  function  will  cause  mission  abort.  A  Maintenance  Alert  is  also 
flagged  when  a  minor  function  has  completely  failed. 

(5)  A  channel  with  failed  outputs  must  be  inhibited  from  attempting  any 
control  functions. 

TIfe  purpose  of  this  requirement  is  to  avoid  transients  in  engine  con¬ 
trol  output  functions  caused  by  the  divergent  command  data  being  gen¬ 
erated. 


53 


(6)  The  failure  of  one  channel  should  not  cause  failure  of  another  chan¬ 
nel  , 

The  purpose  of  this  requirement  is  to  minimize  the  failure  likelihood 
of  the  total  system  due  to  internal  common  mode  failures. 

(7)  The  system  shall  not  fail  such  that  both  channels  are  disabled. 

The  purpose  of  this  requirement  is  to  retain  as  much  engine  control 
as  possible. 

The  appi  -.ation  of  the  above  groundrules  to  the  baseline  system  demonstrates 
that  a  better  balance  between  mission  safety  and  availability  can  be  achieved. 
There  are  now  50  first  failure  Maintenance  Alerts  for  this  modified  baseline 
(Table  6)  as  compared  to  a  Maintenance  Alert  on  every  first  failure  (58  first 
failure  Maintenance  Alerts). 

3.3.4  RAEEC  Final  System 

Several  factors  were  considered  in  developing  the  techniques  to  satisfy  the 
system  groundrules  listed  above.  One  of  the  more  significant  considerations 
in  the  redundancy  management  design  was  fault  detection,  fault  isolation  and 
system  recovery  from  faults  having  a  catastrophic  or  major  impact  on  engine 
operation. 

Another  important  consideration  was  the  amount  of  redundancy  management  re¬ 
sources  needed  to  attain  the  excellent  coverage  required  by  a  good  fault  tol¬ 
erant  system  design.  To  minimize  the  need  for  special  hardware  dedicated  to 
failure  coverage,  maximum  use  of  computer  software  was  indicated. 

To  reduce  the  possibility  for  control  failures,  the  study  evaluated  the  effects 
of  applying  selective  triple  redundancy  for  those  functions  having  a  signifi¬ 
cant  impact  on  engine  performance,  and  the  effects  of  applying  dual  redundancy 
for  functions  having  a  minor  impact.  The  effects  of  failures  for  a  selectively 
redundant  dual  channel  configuration  are  shown  in  Table  7. 

To  set  the  framework  for  the  RM  design,  a  study  using  the  failure  effects  rules 
established  the  impact  of  various  control  system  failures  on  engine  performance. 
The  results  are  tabulated  in  Failure  Flag  Action  Table  8. 

"Loss  of  Complete  Function",  indicates  the  impact  of  the  function  loss  on 
engine  performance.  There  are  14  functions  where  complete  failure  would  cause 
the  engine  to  shutdown.  Also,  there  are  21  functions  where  control  failures 
would  have  a  major  impact  on  engine  performance.  The  loss  of  the  remaining 
functions  are  designated  as  having  a  mirur  impact  on  engine  performance. 


54 


TABLE  6.  FIRST  FAILURE  FLAG  ACTIOR  MODIFIED  BASELINE  SYSTEM 


Function  Identification 

Loss  of 

Complete 

Function 

Elements 

First 

Pilot 

Flag 

Failure 

Maint 

Flag 

I. 

Power 

Shutdown 

2 

Yes 

Yes 

II. 

Speeds:  TPS 

Minor 

2 

No 

No 

NH 

Major 

2  + 

S 

No 

No 

NL 

Major 

2 

Yes 

Yes 

III. 

Temperatures:  TBT  AVG 

Minor 

1  + 

(S)* 

Yes 

Yes 

TT2 

Major 

2 

Yes 

Yes 

TBT  Peak 

Minor 

1  + 

(%)* 

Yes 

No 

122 

Major 

1  + 

S 

Yes 

Yes 

IV. 

A/D  Converter 

Major 

2 

Yes 

Yes 

V. 

Pressures:  PT2 

Major 

1  + 

s 

Yes 

Yes 

PT3 

Major 

1  + 

s 

Yes 

Yes 

PT5 

Minor 

1 

Yes 

Yes 

A  PI3 

Minor 

1 

Yes 

Yes 

PT13 

Minor 

1  + 

s 

Yes 

Yes 

A  P3 

Major 

1  + 

s 

Yes 

Yes 

VI. 

Resolvers:  PLA 

Shutdown 

2 

Yes 

Yes 

Fig  V 

Major 

2 

Yes 

Yes 

CSVA 

Shutdown 

2 

Yes 

Yes 

A4 

Major 

2 

Yes 

Yes 

A41 

Major 

2 

Yes 

Yes 

Aje 

Major 

2 

Yes 

Yes 

Ajd 

Minor 

2 

No 

No 

.,'fep 

Shutdown 

2 

Yes 

Yes 

Wf  es 

Shutdown 

2 

Yes 

Yes 

Wfdl 

Minor 

1 

Yes 

Yes 

Wfd2 

Minor 

1 

Yes 

Yes 

Wfd3 

Minor 

1 

Yes 

Yes 

VII. 

R/D  Converter 

Shutdown 

2 

Yes 

Yes 

VIII. 

Signals:  WOW 

Minor 

2 

No 

No 

Rf 

Minor 

2 

No 

No 

LOD 

Minor 

1 

Yes 

Yes 

ECU  Enable 

Major 

2 

Yes 

Yes 

AIC  Data 

Minor 

2 

No 

No 

IX. 

Pilot  fault  flag  switch 

Minor 

1 

Yes 

Yes 

X. 

CPU 

Shutdown 

2 

Yes 

Yes 

XI. 

Crosstalk  (CPU's) 

Minor 

1 

Yes 

Yes 

55 


TABLE  6  FIRST  FAILURE  FLAG  ACTION  MODIFIED  BASELINE  SYSTEM  (Continued) 


Function  Identification 


Loss  of 

Complete 

Function 


Elements 


First  Failure 
Pi  lol  FfaTnt. 

Flag  Flag 


XII. 

Torque  Motors:  TPS 

Minor 

2 

No 

Fig  V 

Major 

2 

Yes 

CSVA 

Shutdov/n 

2 

Yes 

A4 

Major 

2 

Yes 

AA| 

Major 

2 

Yes 

Aje 

Major 

2 

Yes 

Ajd 

Minor 

2 

iio 

Wfep 

Shutdown 

2 

Yes 

Wfes 

Shutdown 

2 

Yes 

Wfdl 

Minor 

1 

Yes 

Wfd2 

Minor 

1 

Yes 

Wfd3 

Minor 

1 

Yes 

XIII. 

Solenoids:  Start  Bleed 

Major 

2 

Yes 

Staging 

Major 

2 

Yes 

Thr.  Ba! 

Shu ‘■down 

2 

Yes 

Wfep  S.O.V. 

Shutdown 

2 

Yes 

Wfdl 

Minor 

1 

Yes 

Wfd2 

Minor 

1 

Yes 

Wfd3 

Minor 

1 

Yes 

XIV. 

Aug.  Ign.  Relay 

Minor 

1 

Yes 

XV. 

Resolver  Excitation:  A 

Shutdown 

2 

Yes 

B 

Shutdown 

2 

Yes 

S-Function  has  synthesis  available. 


No 

Yes 

Yes 

Yes 

Yes 

Yes 

No 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 


**(S)  -  Function  has  synthesis  available  for  BIT  only. 


TABLE  7.  FAILURE  EFFECTS  -  FINAL  SYSTEM 


Major  Function  (Gas  Generator  Associated) 


Event 

Mode 

Pilot  Alert 

Maint 

Alert 

First  Failure 

Use  Second 
Channel 

No 

No 

Second  Failure 

Use  Third 
Channel 

Yes 

Yes 

Third  Failure 

Abort/Shut¬ 

down 

Yes 

Yes 

Minor  Function 

(Augmentor 

Associated) 

Event 

Mode 

Pilot  Alert 

Maint 

Alert 

First  Failure 

Use  Second 
Channel 

No 

No 

Second  Failure 

Abort 

Yes 

Yes 

57 


TABLE  8.  FIRST  FAILURE  FLAG  ACTION  FINAL  SYSTEM 


First 


Function 

Loss  Of 
Complete 

No.  Of 

Failure 

Pilot 

Maint 

Identi Fication 

Function 

Elements 

Flag 

Flag 

POWP'^ 

Shutdown 

2 

Yes 

Yes 

Spi  , : 

TPS 

Minor 

2 

No 

No 

NH 

Major 

2* 

No 

No 

NL 

Major 

3 

No 

No 

Temperatures : 

TBT  Avg 

Minor 

2* 

No 

No 

TT2 

Major 

3 

No 

No 

TBT  Peak 

Minor 

2* 

No 

No 

A/0  Converter 

Major 

3 

No 

No 

Pressures 

PT2  Transducer 

Major 

1^ 

Yes 

Yes 

PT3  Transducer 

Major 

1* 

Yes 

Yes 

PT5  Transducer 

Minor 

1 

Yes 

Yes 

AP13  Transducer 

Minor 

1 

Yes 

Yes 

AP3  Transducer 

Major 

1* 

Yes 

Yes 

FT2  Electronics 

Major 

2* 

No 

No 

PT3  Electronics 

Major 

2* 

No 

No 

PT5  Electronics 

Minor 

2 

No 

No 

A  P13  Electronics 

Minor 

2 

No 

PT13  Electronics 

Minor 

2* 

No 

AP3  Electronics 

Major 

2* 

..V 

No 

ResolVers 

PLA 

Shutdown 

3 

No 

No 

Fig  V 

Major 

3 

No 

No 

CSVA 

Shutdown 

3 

No 

No 

A4 

Major 

3 

No 

No 

A41 

Major 

3 

No 

No 

Aje 

Major 

3 

No 

No 

Ajd 

Minor 

2 

No 

No 

Wf  ep 

Shutdown 

3 

No 

No 

Wfes 

Shutdown 

3 

No 

No 

TABLE  8.  FIRST  FAILURE  FLAG  ACTION  FINAL  SYSTEM  (Continued) 


First 


Function 

Loss  Of 
Complete 

No.  Of 

Pi  lot 

Failure 

Maint, 

Identification 

Function 

Elements 

Flaa 

Flag 

Resolvers  (Continued) 

Wfdl 

Minor 

2 

No 

No 

Wfd2 

Minor 

2 

No 

No 

Wfd3 

Minor 

2 

No 

No 

R/D  Converter 

Shutdown 

3 

No 

No 

Signals; 

MOW 

Minor 

2 

No 

No 

RF 

Minor 

2 

No 

No 

LOD 

Minor 

2 

No 

No 

ECU  Enable 

Major 

2 

No 

Yes 

AIC  Data 

Minor 

2 

No 

No 

Fault  Flag  Switch 

Minor 

1 

-S 

Yes 

CPU 

Shutdown 

2 

Ves 

Yes 

Cro.staik  (CPU's) 

Minor 

2 

Yes 

Yes 

Torque  Motors; 

TPS 

Minor 

2 

No 

No 

FIGV 

Major 

3 

No 

No 

CSVA 

Shutdown 

3 

No 

No 

A4 

Major 

3 

No 

No 

A41 

Major 

3 

No 

No 

Aje 

Major 

3 

No 

No 

Ajd 

Minor 

2 

No 

No 

Wf  ep 

Shut  down 

3 

No 

No 

'■Jfes 

Shutdown 

3 

No 

No 

Wfdl 

Minor 

2 

No 

No 

'Wfd2 

Minor 

2 

No 

No 

Wfd3 

Minor 

2 

No 

No 

TABLE  8.  FIRST  FAILURE  FLAG  ACTION  FINAL  SYSTEM  (Continued) 


Loss  Of 

Function  Complete 

Identification  Function 

Solenoids: 

Start  Bleed  Major 

Stag i no  Major 

Thr.  Bal.  Shutdown 

Wfep  S.O.V.  Shutdown 

Wfdl  Minor 

Wfd2  Minor 

Wfd3  Minor 

Aug.  Ign.  Relay  Minor 

Resolver  Excit.  A.  Shutdown 

B.  Shutdown 


First 

Failure 


No,  Of 

Pilot 

Maint. 

Elements 

Flag 

3 

No 

No 

3 

No 

No 

3 

No 

No 

3 

No 

No 

2 

No 

No 

2 

No 

No 

2 

No 

NO 

2 

No 

No 

2 

Yes 

Yes 

2 

Yes 

Yes 

Parameter  Synthesis  Available 


The  significance  of  the  added  redundant  functions  can  be  evaluated  by  compar¬ 
ing  Tables  5  and  7.  The  added  redundancy  has  effectively  inserted  an  additional 
tolerable  function  failure  in  the  state  paths  from  full  performance  to  major 
system  failure. 

The  impact  on  Maintenance  Alert  Requirements  for  the  final  system  was  evaluated. 
Between  the  baseline  configuration  and  the  final  configuration,  the  system 
requires  a  Maintenance  Alert  on  only  13  first  failures  as  contrasted  with  a 
Maintenance  Alert  on  every  first  failure  (58)  in  the  baseline  system.  If  the 
same  groundrules  used  for  the  final  RAEEC  system  are  applied  to  the  baseline 
system,  the  situation  changes  very  little.  The  baseline  system  now  requires 
a  Maintenance  Alert  on  50  first  failures  as  compared  to  a  Maintenance  Alert 
on  58  first  failures  under  the  original  groundrules.  The  final  system  is  still 
significantly  better. 

A  description  of  the  final  system's  dual  channel  redundancy  implementaticn  was 
presented  in  Section  3. 2. 4. 3.  Provisions  have  been  made  for  cross-channel 
monitoring  via  the  UART-RAM  set-up,  input  sensor  redundancy,  input  parameter 
synthesis,  inter-channel,  hardwired  failure  discretes,  interlocked  ano  inter¬ 
changeable  output  driver  control.  As  a  result  of  these  features,  maximum  con¬ 
trol  flexibility  is  provided  to  respond  to  all  failure  situations. 

The  reliability  block  diagram  for  the  final  system  is  shown  in  Figure  14.  The 
minimum  operational  MTBF  of  7965  hours  for  the  final  RAEEC  system  was  calcu¬ 
lated  with  2  computer  programs.  The  arcs  in  Figure  14  illustrate  the  software 
cross-strapping  of  the  various  functions  and  the  degree  of  failure  allowed 
before  a  maintenance  action  is  required  while  still  maintaining  minimum  level 
of  safety  reliability. 

3,3.5  System  Coverage 

table  9  provides  calculated  coverage  values  for  first  and  second  like  failures 
for  each  final  RAEEC  system  function.  Coverage  is  provided  by: 

1.  The  failure  detection  capability  of  the  BIT  applicable  to  each  function 
is  identified  in  Table  10.  The  table  identifies  the  type  of  test 
whether  it  is  implemented  by  hardware  or  software. 

2,  The  ability  of  the  software  to  reject  data  from  input  channels  in 
which  failure  is  detected  by  the  BIT,  and  to  replace  the  failed  data 
sources  with  data  obtained  from  "gooo"  redundant  channels  using,  if 
necessary,  the  "cross-talk"  data  channel  interlinking  the  primary  and 
secondary  CPU's. 


61 


FIGURE  14  RELIABILITY  BLOCK  DIAGRAM  -  FINAL  SYSTEM  (SHEET  2  OF  6) 


FIGURE  14  RELIABILITY  BLOCK  DIAGRAM  -  FINAL  SYSTEM  (SHEET  5 


RELIABILITY  BLOCK  DIAGRAM  -  FINAL  SYSTEM  (SHEET  6 


TABLE  9  Fl^iAL  RAEEC  SYSTEM  COVERAGE 


j 

Second 

First 

Like 

Function 

No.  Of 

Failure 

Failure 

Identification 

Units 

Cov. 

Test 

Cov. 

Test 

Power 

2 

.963 

11 

N/A 

N/A 

Speeds: 

s  . 

TPS 

2 

.942 

1,^.9, 14 

N/A 

N/A 

NH 

2* 

1.0 

3 

1.0 

3 

NL 

3 

i.O 

3 

.942 

1,2.9,14 

' 

Temperatures: 

TBT  Avg 

2* 

1.0 

3 

1.0 

3 

1 

TT2 

3 

1.0 

3 

.929 

1.2,9.10 

TBT  Peak 

2* 

1.0 

3 

1.0 

3 

< 

A/0  Converter 

3 

1.0 

3 

.976 

1,2,9,10,14 

V 

Pressures 

{■ 

i 

PT2  Transducer 

1* 

1.0 

3 

N/A 

N/A 

PT3  Transducer 

1* 

1.0 

3 

N/A 

N/A 

i. 

PT5  Transducer 

1 

0 

N/A 

N/A 

N/A 

A  P13  Transducer 

1 

0 

N/A 

N/A 

N/A 

PT13  Transducer 

1* 

1.0 

3 

N/A 

N/A 

A  P3  Transducer 

1* 

1.0 

3 

N/A 

N/A 

\ 

PT2  Electronics 

2* 

1.0 

3 

1.0 

3 

PT3  Electronics 

2* 

1.0 

3 

1.0 

3 

PT5  Electronics 

2 

0.961 

N/A 

N/A 

A  P13  Electronics 

2 

0.961 

N/A 

N/A 

f 

PT13  Electronics 

2* 

1.0 

3 

1.0 

3 

> 

A  P3  Electronics 

2* 

1.0 

3 

1,0 

3 

Resolvers: 

PLA 

3 

1.0 

3 

.99 

1,2,9,10 

FIG  V 

3 

1.0 

3 

.99 

1,2,9,10 

CSVA 

3 

i.O 

3 

.99 

1,2,9,10 

M 

3 

1.0 

3 

.99 

1.2,9,10 

A41 

3 

1.0 

3 

.99 

1.2,9.10 

Aje 

3 

1.0 

3 

.99 

1,2,9.10 

N/A 

Ajd 

c 

,99 

1,2,9,10 

N/A 

Wfep 

3 

1.0 

3 

.99 

1,2,9,10 

m 


TABLE  9.  FIMAL  RAEEC  SYSTEM  COVERAGE  (Continued) 


First 

Seconu 

Like 

Function 

No.  of 

Fai lure 

Failure 

Identification 

Units 

Coy. 

Test 

Coy. 

Test 

Wfes 

3 

1.0 

3 

.99 

1,2,9,10 

Wfdl 

2 

.99 

1,2.9,10 

N/A 

N/A 

Wfd2 

2 

.99 

1.2,9.10 

N/A 

N/A 

Wfd3 

2 

.99 

1,2.9,10 

N/A 

N/A 

R/D  Converter 

3 

1.0 

3 

.958 

1.2.9,10 

14 

Signals: 

WOW 

2 

0 

N/A 

N/A 

N/A 

RF 

2 

0 

N/A 

N/A 

N/A 

LOD 

2 

.99 

N/A 

N/A 

N/A 

ECU  Enable 

2 

0 

N/A 

N/A 

N/A 

AIC  Data 

2 

.99 

1.15 

N/A 

N/A 

Fault  Flag  Switch 

1 

0 

N/A 

N/A 

N/A 

CPU  2 

.996 

4.5.12, 

13,16 

N/A 

N/A 

N/A 

Crosstalk 

(CPU's) 

2 

.99 

17 

N/A 

N/A 

Torque  Motors; 

TPS 

2 

.958 

6 

N/A 

N/A 

FIGV 

3 

.958 

6 

.958 

6 

CSVA 

3 

.958 

6 

.958 

6 

A4 

3 

.958 

6 

.958 

6 

A41 

3 

.958 

6 

.958 

6 

Aje 

3 

.958 

6 

.958 

6 

Ajd 

2 

.958 

6 

N/A 

N/ 

Wfep 

3 

.958 

6 

.958 

6 

'Wfes 

3 

.953 

6 

.958 

6 

Wfdl 

2 

.958 

6 

N/A 

N/A 

Wfd2 

2 

.958 

6 

N/A 

N/A 

Wfd3 

2 

.958 

6 

N/A 

N/A 

Solenoids : 

Start  Bleed 

3 

.958 

6 

.958 

6 

Staging 

3 

.958 

6 

.958 

6 

Thr.  Bal 

3 

.958 

6 

.958 

6 

Wfep  S.O.V. 

3 

.958 

6 

.958 

6 

Wfdl 

2 

.958 

6 

N/A 

N/A 

Wfd2 

2 

.958 

6 

N/A 

N/A 

Wfd3 

2 

.958 

6 

N/A 

N/A 

69 


TABLE  9.  FINAL  RAEEC  SYSTEM  COVERAGE  (Continued) 


Function 

No.  of 

First 

Failure 

Second 

Like 

Fai lure 

Identification 

Units 

Cov.  Test 

Cov.  Test 

Aug.  Ign.  Relay 

2 

.958  6 

N/A  N/A 

Resolver  Excitation: 

A 

2 

.958  N/A 

B 

2 

.958  N/A 

First  Failure 


Coverage 

Failure  Rate 

1.0 

135.98 

.996 

44.0 

.99 

23.0 

.968 

28.0 

.958 

149.0 

.942 

8.0 

.961 

33.09 

0.0 

15.4 

XCiX 
z  X  i 


=  411.75 
1107 


Second  Fai lure 

Coverage  Failure  Rate 


.0 

84.98 

.99 

6.0 

.976 

18.0 

.958 

99.0 

.942 

6.0 

.929 

9.0 

Z  X  i 
=  217.35 


=  .943 


=  .975 


70 


TABLE  10  BUILT-IN-TEST  SUMMARY 


BIT 

Test  Number  and  Name 

In-Fit 

Tests 

Pre-F  1 1 
Tests 

Software 

or 

Hardware 

(S) 

-iia 

1 

Input  Range  Limit  Check 

X 

X 

S 

0 

c 

Parameter  Coi relation  Check 

X 

X 

S 

3 

Parameter  Majority  Logic  Check 

X 

X 

S 

4 

Read  Onl"  Memory  (POM)  Check 

X 

X 

S 

5 

Computer  Cycle  Time  Test 

X 

X 

H 

6 

Output  Wraparound  Test 

X 

X 

H 

7 

Injected  Input  Test 

X 

S 

e 

Canned  Output  Computation 

X 

S 

9 

Loop  Dynamic  Check 

X 

X 

S 

10 

Reference  Signal  Check 

y 

X 

ii 

11 

Power  Supply  Test 

X 

X 

H 

12 

Processor  Instruction  Test 

X 

y 

S 

13 

Read-Write  (Scratch-pad  Memory 
Check) 

X 

X 

S 

14 

End  of  Conversion  (EuC)  SIT  Not 
Detected 

X 

y 

S 

15 

Hardware  Parity  and  Cede  Verifier 
Checks 

X 

X 

H 

16 

Clock  Loss  Detect  Circuit 

X 

X 

H 

17 

UAPT  Svnr  Wore  Defected 

X 

X 

h 

/I 


m 


The  ability  of  the  software  to  transfer  output  data  from  output  chan¬ 
nels  in  which  failure  is  detected  by  BIT  to  "good"  redundant  channels 
using  the  cross-talk  data  channel  interlinking  the  primary  and  second¬ 
ary  CPU's. 

The  ability  of  the  software/hardware  to  electrically  disable  the 
primary  channel  entirely  if  it  is  inoperative,  and  to  maintain  system 
operation  by  electrically  enabling  the  fully  redundant  secondary  chan¬ 
nel  . 

First  failure  coverage  values  given  in  Table  9  are  calculated  on  the  assumption 
that  the  system  is  initially  failure  free  before  failure  occurs.  Majority 
logic  checks  can  therefore,  be  applied.  Since  the  first  failure  in  a  three 
element  function  is  reduced  to  a  dual  element  function  until  scheduled  mainten¬ 
ance  takes  place,  in-line  testing  must  be  employed  to  provide  coverage  for  a 
second  like, failure  of  the  function.  Coverage  for  the  second  like  failure 
must  be  less  than  100%  because  majority  voting  is  not  possible. 

In  the  case  of  functions  provided  with  two  elements  and  software  synthesis  (in 
each  CPU),  the  majority  logic  check  can  be  applied  to  the  second  like  failure 
because  of  the  one  remaining  element  and  the  software  synthesis  in  each  CPU, 

If  the  remaining  single  element  is  identified  as  the  failed  unit,  it  can  be 
replaced  for  the  remainder  of  the  mission  by  the  software  synthesis.  In  this 
case,  therefore,  coverage  for  the  second  like  failure  remains  near  100%. 

For  two  element  functions,  first  failure  coverage  is  of  course,  less  than  100%. 
Coverage  for  a  second  like  failure  is  not  applicable  since  recovery  is  not 
possible,  However,  the  BIT  effectiveness  remains  applicable  since  fault  de¬ 
tection  of  second  like  failures  in  two  element  functions  must  be  provided  to 
flag  a  maintenance  alert, 

3,3.6  Final  System  Flight  Safety  Probability 

A  flight  safety  model  study  was  conducted  using  the  classical  reliability 
modeling  and  mathematical  approach  (Reference  9). 


The  model  was  developed  by  including  all  those  engine  control  functions  which 
can  cause  engine  shutdown  if  they  are  not  functioning  and  eliminating  the 
other  control  functions.  The  safety  model  is  shown  in  Figure  15  with  failed 
units  in  the  block  diagram  and  can  be  represented  by  the  reliability  graph 
shown  in  Figure  16.  This  model  is  essentially  the  same  architecture  as  the 
full  final  RAEEC  model  except  for  the  elimination  of  nonrelevanc  functions. 


FIGURE  15  FLIGHT  SAFETY  RELIABILITY  BLOCK  DIAGRAM 


The  reliability  of  the  system  can  be  expressed  in  minimal  tie  sets  of  the  graph, 
R  =  Pr  (Ti  +  T2  +  T3  +  T4) 
where  the  minimal  tie  sets  are 
Ti  =  Xl  X2  X3 

T2  -■=  X4  X5  X6 

T3  ^  Xl  X2  X7  X5  X6 

T4  =  X4  X5  xa  X2  X3 

All  other  tie  sets  are  nonminimal. 

In  Figure  15,  certain  redundant  elements  have  been  crossed  out  to  represent 
failure  of  that  element.  These  "selected"  failures  for  each  channel  reduce 
the  system  to  a  "worst  case".  Thus,  they  reflect  the  high  degree  of  fault 
tolerance  (hardware  •f'ailure)  not  necessitating  individual  maintenance  actions 
while  still  preserving  mission  safety  critical  functions.  The  model  is  defined 
as  the  minimal  number  of  systems  channel  elements  required  for  core  engine 
operation. 

With  this  reduced  graph  of  flight  critical  components,  the  coverage  value  CTn 
for  each  tie  set  is  calculated  using  the  data  in  Table  9  and  the  reliability 
equation.  The  tie  set  reliabilities  with  coverage  are 

Ti  =  Cti  (Xl  X2  X3) 

T2  =  Ct2  (X4  X5  Xe) 

T3  =  CT3  (Xl  X2  X7  X5  Xg) 

T4  =  Ct4  (X4  X5  X8  X2  X3) 

where  by  symmetry  Cji  -  Ct2  =  0.975 

and  CT3  =  0.981 

The  equation  for  system  probability  is  then  expanded  in  terms  of  the  joint  tie 
set  survival  probabilities  as 


75 


R  =  2  Pr  (T^i)  -  2  Pr  (Ti  Tj)  +  2  Pr  (li  Tj  Tk ) 
i  ij  ijk 

-  2  Pr  (Ti  Tj  Tk  Tl) 

i  j  kl 

Upon  substituting  the  derived  tie  set  data  into  the  equation,  the  reliability 
of  the  safety  model  with  coverage  is  0.99999974  which  is  a  failure  likelihood 
of  2.26  X  10-7. 


76 


3.4  Electrical  Debign 


3.4.1  Introduction 

The  final  RAEEC  circuit  desiqn  was  derived  from  the  baseline  system  through  a 
series  of  trades  study  which  are  presented  in  Appendix  A.  The  baseline,  also 
described  in  Appendix  A,  is  essentially  a  modified  Full  Authority  Digital  Elec¬ 
tronic  Control  (FAOEC).  The  final  design  choices  are  presented  here  for  the 
fourteen  circuit  partitions  studied. 

(As  a  quick  cross-reference  aid  the  third  digit  of  each  paragraph  dealing  with 
a  circuit  partition  is  the  same  in  this  section  and  Appendix  A.) 

3.4.2  Analoq-to-Pigital  Converter 

The  "smart,  multiple-ramp"  analog-to-digi tal  converter  used  in  the  RAEEC  final 
design  converts  multiplexed  high-level  (0  to  +10V)  DC  signals  to  a  12-bit  binary 
number  with  a  typical  accuracy  of  11  bits  and  with  a  maximum  conversion  time  of 
1.536  milliseconds.  A  microprocessor  is  used  to  perform  the  A/D  control  logic 
as  well  as  its  own  signal  multiplexing,  input  scaling,  and  range  checks,  in 
addition  to  fault  isolation.  The  analog  portion  of  the  converter  is  comprised 
of  an  integrator  with  four  multiplexed  inputs,  a  zero  comparator,  and  a  least 
significant  bit  comparator.  A  simplified  block  diagram  is  shown  in  Figure  17. 

3.4.3  Resol ve»~-to-Diqi tal  Converter 

An  R-C  Bridge/Pulse  Width  to  Digital  R/0  is  incorporated  in  the  final  RAEEC 
design,  which  has  superior  reliability  characteristics  over  other  R/D  circuits. 

This  11-bit  resolver  to  digital  converter  (Figure  18)  comprises  a  pair  of  volt¬ 
age  followers,  an  R-C  bridge,  phase  shift  to  pulse  width  comparators  and  logic, 
and  a  programmable  interval  timer  and  bus  driver.  The  two,  in  phase,  amplitude 
varying  AC  voltages  from  the  output  of  the  resolver  mux  (described  in  Section 
3.4.9)  carry  resolver  position  {$)  information  in  the  form  of  SIN  6  and  COS  6 
which  are  converted  in  an  R-C  bridge  to  two  constant  amplitude,  phase  shifted 
voltages,  whose  phase  difference  in  electrical  degrees  is  equal  to  2  ^  -90°. 
(Note  that  there  is  an  electrical  gain  of  two.)  The  two  phase  shifted  voltages 
each  drive  their  own  zero-comparator  whose  output  drives  an  equivalent  dual- 
clocked  flip-flop  circuit,  providing  a  logic-level  pulse  width  proportional  to 
twice  the  resolver  mechanical  angle.  This  single  pulse  width  in  turn,  enables 
the  programmable  interval  timer  which  can  be  addressed  directly  onto  the  data 
bus  by  the  CPU. 

The  following  lists  the  advantages  and  disadvantages  ot  the  R-C  bridge  resolver 
to  digital  converter; 


77 


FIGURE  17  MULTI  -  RAMP  A/D  CONVERTER 


E 


FIGURE  18  RESOLVER  TO  DIGITAL  CONVERTER 


ADVANTAGES: 


].  All  failure  modes  can  be  detected  (if  the  total  resolver  movement  is 
restricted  to  less  than  90  mechanical  degrees). 

2.  Provides  a  direct  conversion  of  shaft  angle;  no  transport  delay  delta 
between  "SIN  and  "COS  inputs. 

3.  With  reference  angle  compensation,  this  interface  is  accurate  to  with 
in  6  minutes. 

4.  Lends  itself  to  multiplexing  techniques. 

DISADVANTAGES: 

1.  Precision  k-C  bridge  required  with  good  stability  over  temperature. 

2.  Af :urate  sine-wave  generation  required  for  resolver  excitation.  Con¬ 
verter  is  sensitive  to  odd  harmonics. 

3.  Resolver  movement  should  be  restricted  to  less  than  90°. 

3.4.4  Resolver  Excitation 

The  Resolver  Excitation  circuit  used  in  the  final  RAEEC  system,  pruvides  a  pre 
cision  7  Vrms,  1.953  KHz  sinewave  for  excitation  of  the  engine  fuel  control 
resolvers.  Although  400  Hz  synchro  excitation  is  available  on  most  aircraft, 
this  configuration  for  self  excitation  of  fuel  control  feedback  transducers  is 
advciiitagcuus  for  the  rollow’ng  reasons: 

1.  Loss  of  the  400  Hz  bus  would  cause  the  engine  fuel  controls  to  lose 
feedback  signals,  causing  engine  shutdown. 

2.  A  400  Hz  excitation  system  causes  a  long  R/D  conversion  time,  since 
thu  period  of  on^.  sample  would  be  2.5  milliseconds,  and  a  minimum  con 
version  time  of  twice  the  excitation  period  is  required  for  settling 
and  conversion  time. 

This  circuit,  as  shown  in  Figure  19,  comprises  five  different  functions  which 
are  described  briefly  as  follows: 

3.4.4. 1  Transmission  Gate  Modulator 

This  circuit  provides  an  amplitude  modulated  1953  Hz  squarewave,  proportional 
to  the  error  integrator  output,  which  is  fed  to  the  tuned  filter. 


3. 4. 4. 2  Tuned  Filter 


The  first  stage  of  the  active  tuned  filter  section  is  a  bandpass  filter  to 
attenuate  the  third  harmonic  of  the  square  wave  and  also  to  block  the  DC  com¬ 
ponent.  The  center  frequency  is  at  1.953  KHz,  the  gain  is  0  dbv,  and  the  sen¬ 
sitivity  is  10.  The  second  stage  is  a  low  pass  filter  to  further  attenuate  the 
third  harmonic  distortion.  The  center  frequency  is  at  1.953  KHz;  zeta  is  0.1 
resulting  in  e  gain  of  14  dbv  at  fo  =  1.053  KHz. 

3. 4. 4. 3  Rectifier 

Amplifier  AR3  in  conjunction  with  diodes  CRT  and  r,R2  and  network  Z1  provide  a 
gain  of  -1  for  negative  inputs  and  0  f ir  positive  inputs.  The  offset  error  due 
to  the  diode  is  negated  by  the  ar.ipl  i  f  ier.  The  amplifier  output  is  summed  with 
the  filter  output  through  resistors  with  a  2:1  ratio  producing  a  precise  full 
wave  rectified  signal. 

3. 4. 4. 4  Error  Integrator 

To  obtain  the  error  signal  necessary  to  produce  a  G.SSo.'  Vrms  output,  AR4  real¬ 
izes  a.  summing  error  integrator.  The  rectifier  output  current  is  summed  with 
the  current  from  the  -10  VDC  reference.  If  the  currents  are  not  equal,  the 
integrator  ramps  up  or  do^^n  until  they  are.  The  sine  wave  input  does  not  affect 
the  DC  voltage  level  of  the  integrator  output  because  the  average  (or  DC)  value 
of  the  sine  wave  is  zero.  It  does,  however,  produce  a  full-wave  rectified  cur¬ 
rent  when  summed  with  the  half-wave  rectifier  output. 

3. 4. 4. 5  Power  Stage 

A  monolithic  power  driver  (HA2635)  is  used  to  obtain  the  necessary  drive  current 
for  resolver  excitation.  The  filter  output  is  buffered  with  a  747  op-amp  which 
supplies  the  drive  for  the  HA2635.  The  feedback  loop  is  unity  gain  and  serves 
to  reduce  nonlinearity  and  crossover  distortion  of  the  HA2635. 

The  driver  outputs  arc  matched  to  the  resolver  impedance  by  a  shunt  R-C  circuit, 
effecting  a  purely  resistive  load  to  the  power  booster.  This  reduced  the  re¬ 
quired  output  power  and  subsequent  dissipation  in  the  HA2635.  Matching,  at  this 
writing,  is  for  six  resolvers  in  parallel  (per  HA2635  driver)  and  can  be  ad¬ 
justed  where  more  resolvers  are  employed.  Individual  resolver  impedance  is  128 
+  j648. 

3.4.5  Torque  Motor  D/A's  and  Drivers 

This  circuit  is  capable  of  driving  a  torque  motor  with  an  average  DC  current  of 
40  milliamperes  using  a  pulse  width  modulation  technique.  Positive  or  negative 
pulses  of  40  msec  at  a  frequency  of  50  Hz  drive  the  torque  motor.  The  duty 
cycle  can  vary  from  0  to  100%  with  a  granularity  of  256  increments.  A  micropro¬ 
cessor  controls  8  torque  motor  driver  circuits.  The  microprucessor ’ s  task  is' 
to  turn  "on"  and  "off"  either  a  +14  volt  switch  or  a  -14  volt  switch  at  50  Hz 
at  the  proper  pulse  width,  .-ill  inputs  and  outputs  of  the  microprocessor  are 


82 


buffered  by  latches  because  of  the  number  of  required  I/O  signals.  The  torque 
motor  controller  is  a  stand-alone  circuit  that  is  a  slave  to  the  central  pro¬ 
cessor.  (Figure  20.) 

In  addition,  the  microprocessor  is  part  of  a  distributed  processing  system, 
which  reduces  the  load  on  the  CPU  and  enables  self-error  checking  at  the  inter¬ 
face  level . 

3.4.6  Solenoid  Drivers 

Solenoid  control  data  from  the  control  CPU  is  stored  in  a  TTL  register 
(SN54LS164).  This  register  will  control  8  individual  solenoids.  When  the  out¬ 
put  of  the  register  is  a  logic  "1"  (5  volts),  the  solenoid  will  be  activated 
by  the  power  booster  ULN-2804.  The  solenoid  is  powered  by  20  preregulated 
volts  from  the  power  supply.  The  output  state  of  the  solenoid  is  monitored  by 
a  LM148  for  fault  detection.  (Figure  21.) 

It  should  be  noted  that  although  the  circuit  power  dissipation  is  approximately 
1  watt  per  energized  solenoid,  on  an  average,  only  three  solenoids  (and  three 
drivers)  will  be  energized. 

3.4.7  Pressure  Sensors  and  Circuitry 
3.4. 7.1  Hamilton  Standard  Pressure  Sensor 

The  Hamilton  Standard  d’ ■’ital  pri.jsure  transducer  (Figure  22)  is  a  precision 
device  available  to  incustry.  The  pressure  transducer's  pressure  sensing  ele¬ 
ment  is  a  cylinder,  excited  by  a  magnetic  driving  circuit,  which  vibrates  at 
its  natural  frequency.  As  the  pressure  to  be  measured  increases,  internal 
forces  act  to  increase  the  stiffness  of  the  sensing  element  causing  the  natural 
frequency  to  increase  in  proportion  to  the  change  in  applied  pressure.  The 
inherent  high  accuracy  and  digital  nature  of  this  device  make  it  ideally  suited 
to  computer  controlled  systems. 

The  physical  parameters  which  may  be  measured  with  the  greatest  accuracy  are 
time  and  frequency.  Frequency  does  not  lose  its  identity  or  precision  by  trans¬ 
mission  and  may  always  be  measured  with  considerable  accuracy. 

The  pressure  transducer  sensor  is  comprised  of  two  concentric  cylinders,  an 
inner  one  and  outer  one,  separated  by  an  evacuated  space,  which  becomes  the 
absolute  pressure  reference.  These  cylinders,  while  separate  at  one  end,  share 
a  common  mounting  base.  The  walls  of  the  inner  cylinder  are  caused  to  vibrate 
at  their  lowest  natural  frequency  by  force  pulses  from  the  magnetic  field  of  a 
dr  '  .'er  coil  mounted  internal  to  the  inner  cylinder. 

Mounted  in  the  same  centerbody  as  the  driver  coil  is  the  pickup  coil  which  pro¬ 
duces  a  voltage  proportional  to  the  frequency  and  amplitude  of  cylinder  wall 
vibration.  The  pickup  voltage  is  fedback  to  the  driver  coil  through  an  opera¬ 
tional  amplifier  so  as  to  maintain  a  constant  cylinder  wall  vibratory  amplitude. 


FIGURE  20  TORQUE  MOTOR  DRIVER 


SOLENOID 

J 


(CONSTANT  VOLTAGE  ALTERNATOR! 


E-568$ 


FIGURE  21  SOLENOID  DRIVER 


EVACUATED  CYLINDER  END  CAP 


E-2014 


FIGURE  22  SECTION  VIEW  OF  PRESSURE  SENSOR 


When  a  pneumatic  pressure  is  introduced  into  the  inner  (vibrating)  cylinder, 
the  wall  elements  are  tensioned  and  the  cylinder  natural  frequency  increases. 
Hence,  the  natural  frequency  is  dependent  upon  pressure  in  the  nonlinear  rela¬ 
tionship: 

Pressure  =  A  +  Bft  +  Cft^  +  Df^^  +  Ef^A 

where  A,  B,  C,  D,  and  E  are  calibration  constants.  Therefore,  the  transducer 
sensor  converts  sensed  pressure  into  a  2  to  3  volt  square-wave  electrical  signal 
whose  frequency  is  a  nonlinear  function  of  the  sensed  pressure. 

3. 4. 7. 2  Circuitry 

The  pressure  sensor  electronics  provide  the  necessary  positive  feedback  for 
each  transducer  to  sustain  oscillation  in  its  primary  resonant  mode.  The  pick¬ 
up  signal  is  amplified  first  by  a  variable  gain  stage  and  second  by  a  fixed 
gain,  bandpass  amplifier.  The  filter  elements  in  the  second  stage  are  chosen 
to  provide  the  proper  phase  shift  that  will  result  in  a  loop  phase  shift  of 
360<^.  This  gives  maximum  support  to  oscillation  at  the  sensor's  resonant  fre¬ 
quency.  Drive  signal  amplitude  is  controlled  by  sensing  the  AC  drive  current, 
precision  rectifying  it,  and  comparing  the  rectified  signal  to  a  DC  reference. 

The  resultant  error  signal  is  integrated  and  used  to  control  the  gain  of  the 
input  variable  -  gain  amplifier.  The  system  frequency  is  sensed  at  the  output 
drive  by  a  comparator  and  converted  to  a  logic  level  signal. 

The  selected  pressure  sensor  concept  utilizes  two  I^L  devices  per  sensor  chan¬ 
nel,  greatly  reducing  board  area  and  number  of  interconnects.  The  custom  con¬ 
cept  also  includes  the  frequency  to  digital  converter.  The  circuit  (primary 
and  secondary  channels)  for  one  sensor  is  shown  in  block  diagram  form  in  Figure 
23.  Also  included  is  the  resistor  network  necessary  for  mating  the  redundant 
electronics  to  common  drive  and  pickup  coils  on  the  sensor. 

3. 4. 7. 2.1  Temperature  Sensor  Circuit  Because  the  natural  frequency  of  the 
vibrating  cylinder  is  a  function  of  both  pressure  and  the  ambient  temperature, 

a  temperature  sense  circuit  is  provided  to  measure  the  temperature  at  the  sensor 
and  provide  the  information  as  an  analog  signal  through  the  A/D  to  the  processor. 
Placed  at  the  top  of  the  spool  body  is  a  diode,  which  is  selected  for  its  tem¬ 
perature  coefficient. 

3. 4. 7. 2. 2  Digital  Correction  PROM  Each  pressure  sensor  is  packaged  with  spec¬ 
ific  compensating  digital  data.  (Taw  data  received  from  the  sensor  in  an  uncom¬ 
pensated  form  has  variations  in  linearity  with  pressure  level  and  temperature 
induced  shifts.  The  calibration  process  to  which  each  sensor  is  subjected 
establishes  exactly  how  much  compensation  each  sensor  requires  to  accurately 
convert  its  frequency  output  to  a  precise  digital  number.  This  compensating 
data  is  then  permanently  programmed  into  a  PROM  Memory  chip  where  it  can  be 
addressed  by  the  computer  each  time  the  sensor  is  addressed.  The  determination 
of  the  normalization  scale,  cubic  coefficients,  adjusted  counts,  pressure  and 
temperature  maps  are  determined  and  converted  from  engineering  units  (volts. 


87 


pRi 

AGC 

AMPUFIER 


PRI 

DRIVE 

AMPLIFIER 


SHARING  NETWORK 


AGC 

AMPLIFIER 

sec 

DRIVE 

AMPLIFIE*' 

MASTER  SLICE  CHIP  XR400 


TO 

TEMPERATURE 
^  MUX  AND 
SCALING 
AMPLIFIER 


TO 

TEMPERATURE 
^  MUX  AND 
SCALING 
AMPLIKItR 


^  MASTER  SLICE  CHIP  XR^O 

!  CONSTANT  VOLTAGE  I 

'  CURRENT  I 

; -  CONTROL  t  CURRENT 

•  AMPLIFIER  CONVERTER  I 


(SECONDARY 


PROGRAM- 

COMP 

ARATOR 

^0 

MABLE 
PERIOD  ^ 

16  -  3  - 

BIT  STATE 

COUNTER  BUFFER 


A  A  A 


PROGRAM  CLOCK  RESET  3  STATE 
PERIOD  INPUTS  enable 


PRESSURE 

SENSOR 


FIGURE  23  SENSOR  CIRCUIT  BLOCK  DIAGRAM 


GB 


psi,  etc)  to  programmable  binary  information  in  PROM  format  by  computer.  In¬ 
puts  to  the  computer  are  the  data  taken  on  each  pressure  sensor  during  calibra¬ 
tion, 

3.4.8  Low  Level  DC  Interface 

The  low  level  interface  (Figure  24)  multiplexes  four  low  level  signals  into  a 
high  impedance  instrumentation  amplifier.  The  signals  are  amplified  to  a  O-IOV 
level  and  multiplexed  along  with  the  TBT  signal  into  the  analog-to-digital  con¬ 
verter  buffer.  The  buffer  provides  a  higher  current  drive  for  the  A/D  onverter. 
The  circuitry  is  reduced  by  using  multiplexers  having  internal  protection.  Note 
that  the  primary  RAEEC  channel  requires  two  of  these  interfaces,  while  t'  s-c- 
ondary  requires  only  one. 

3.4.9  Resolver  Multiplexer 

This  resolver  multiplexing  scheme  (Figure  25)  employs  an  improved  CMOS  technol¬ 
ogy  known  as  dielectrically  isolated  CMOS.  The  selected  multiplexing  devices 
have  internal  protection  which  makes  possible  the  elimination  of  considerable 
external  protective  hardware. 

3.4.10  Discrete  Signal  Conditioner  Circuit 

The  discrete  signal  interface  (Figure  26)  inputs  three  discrete  switch  closures, 
a  LOD  detector,  and  a  serial  data  stream  transmitting  the  mach  number.  The 
discrete  switch  closures  are  conditioned  with  a  diode  resistor  network  that 
provides  well  defined  logic  levels  to  the  I/O  ports  of  the  8041  universal  peri¬ 
pheral  interface.  The  8041  is  also  used  to  read  the  serial  data  stream  and 
transfer  the  mach  number  to  the  main  CPU.  The  LOD  detector  output  is  rectified 
and  used  to  charge  the  capacitor  which  is  monitored  by  the  A/D  converter  to 
determine  if  a  "light  off"  condition  is  present. 

This  approach  utilizes  a  minimum  amount  of  hardware  and  at  the  same  time  sim¬ 
plifies  some  of  the  CPU's  tasks  through  distributive  processing  fault  detection 
concepts, 

3.4.11  Frequency  to  Digital  Speed  Interfaces 

The  speed  circuit  is  an  8253  programmable  counter  to  convert  Nl  and  Np  frequency 
to  digital  information.  The  counter  is  configured  as  a  divide  by  N  counter 
which  is  used  to  enable  a  high  frequency  clock  into  a  16  bit  counter  also  con¬ 
tained  on  the  8253.  The  signals  are  conditioned  by  using  a  quad  comparator 
that  converts  to  the  proper  logic  levels  internally.  The  comparators  are  pro¬ 
vided  with  hysteresis  to  minimize  the  effects  of  noise  on  low  frequency  conver¬ 
sions.  Diode  protection  is  also  provided  to  protect  the  comparator  inputs  from 
overvoltage  transients  (Figure  27). 


89 


t-  rill- 


FIGURE  27  SPEED  INTERFACE 


3.4.12  Turbo  Pump  Speed  Interface 

The  turbine  pump  speed  interface  inputs  a  pulse  train  fi'om  a  magnetic  pickup. 

The  frequency  of  the  pulses  is  proportional  to  the  turbine  pump  speed.  The 
pulses  are  converted  to  logic  levels  with  a  comparator  and  fed  into  a  universal 
counter  chip.  This  chip  is  programmed  to  count  a  specified  number  of  periods 
and  gate  a  high  frequency  clock  into  a  self  contained  counter.  The  final  count 
can  be  read  by  the  CPU  to  determine  turbine  pump  speed  (Figure  28). 

3.4.13  Fault  Detection  Logic 

The  primary  channel  receives  four  fault  signals  from  the  secondary  channel. 

The  secondary  channel  also  receives  four  fault  signals  from  the  primary  channel. 
A  buffer  and  peripheral  resistors  are  used  for  each  signal  path  to  interface 
the  two  channels.  The  fault  signal  paths  for  both  channels  are  of  a  CMOS  design 
with  the  constraint  that  no  input  signals  can  be  present  when  the  system  is  not 
energized.  The  power  supplies  from  the  two  channels  are  OR'ed  and  then  fed  to 
both  fault  detection  logic  circuits.  This  ensures  that  both  fault  detection 
circuits  will  be  powered  if  either  channel  is  powered,  thus  satisfying  the  con¬ 
straint  that  no  input  signals  can  be  present  when  the  system  is  not  energized 
(Figure  29) . 

3.4.14  Power  Supply  System 

The  power  source  is  a  voltage  controlled  "flux  switching"  type  alternator.  In¬ 
put  power  is  rectified  and  capacitor  filtered.  The  rectified  voltage  (20  VDC) 
is  sensed  and  compared  with  a  reference.  The  resultant  error  signal  is  ampli¬ 
fied  and  used  to  control  the  field  of  the  alternator,  thus  maintaining  a  con¬ 
stant  20  VDC  from  the  alternator.  The  +20V  is  used  to  power  all  solenoids,  the 
+15V  regulator  and  the  +5V  regulator.  The  +5V  regulator  is  a  pwm  switching 
type  regulator.  The  +5V  powers  all  of  the  logic  and  memory  circuits.  The  +15V 
regulator  is  a  series  monolithic  regulator.  The  +15V  supplies  the  positive 
rail  for  analog  circuits  and  torque  motors,  the  +10V  reference,  and  an  inverter 
from  which  negative  voltages  are  developed.  The  inverter  is  operated  in  sync 
with  the  +5V  switching  regulator  to  preclude  any  beat  effects.  Inverting  action 
is  accomplished  through  a  transformer  with  transistor  push-pull  drive.  -15V, 
and  any  other  negative  voltages  that  may  be  desired,  are  derived  from  the  trans¬ 
former  secondary.  -15V  supplies  the  negative  rail  for  analog  circuits  and 
torque  motors. 

A  comparator  monitors  +5  for  overvoltage  and  has  authority  to  decrease  the  +20V 
bus  if  an  overvoltage  condition  is  detected.  Three  additional  comparators  mon¬ 
itor  +5  for  low  voltage  and  +10  for  high  or  low  voltage.  All  four  comparators 
have  authority  to  generate  a  power  supply  reset  (PSR)  signal  if  voltage  is  out 
of  tolerance.  (Figures  30  and  31,  and  Table  11.) 


94 


FAULT  SIGNALS 
FROM 

SECONDARY  CHANNEL 


FAULT  SIGNALS 
TO 

PRIMARY  CHANNEL 


E-5776 


note;  THE  CIRCUIT  IS  REPEATED  FOR  THE  OPPOSITE 
DIRECTION  (FROM  PRIMARY  TO  SECONDARY) 


FIGURE  29  FAULT  DISCRETES 


9G 


+  20  V 


FIGURE  31  A/C  INTERFACE,  POWER  SUPPLY  SYSTEM 


TABLE  11  POWER  SUPPLY  REQUIREMENTS 
Power  Supply  Load  Rating 


VOLTAGE  CURRENT 


+5V 

.90A 

+  10V 

.015A 

+14V/+15V 

.30A 

-14V/-15V 

.40A 

+20V 

3.10A 

Typical  Power  Dissipation* 


Input  Bridge 
Alt.  Volt.  Control  Crt. 

+15V  Series  Reg 
Inverter  &  -15  Supply 
+14V  Shunt  Reg 
-14V  Shunt  Reg 
+10V  Reg 
+5V  Reg 
PSR/OV 

Prime  (  LOO  in  Standby 

Power  Supply  Sub  Total 

EEC  Digital 
Analog 

Drivers  (Series  Prop) 
Total  Non  P/S 

Total  EEC 


4.0 

6.15 

3.35 


Secondary 


Total 


*  Load  Assumptions: 


20V  Solenoids  0  .3A  3 

Torque  Motors  .05A/.15A  +15V/-15V 

Analog  Load  .2A/,2A  +15V/-15V 

+10V  Load  .015A 

+5V  Load  .8A 


3.40W 

3.40W 

4.68W 

1.50W 


O.lOW 

1.75W 

O.lOW 

O.lOW 

15.53W 


13. SOW 
29.03W 
29.03W 
58.06W 


90 


3.4.15  CPU  Design 

During  the  design  phase  of  all  the  circuits  involved  in  the  trade  study  of 
Appendix  A,  it  was  realized  that  in  several  areas,  it  was  more  profitable  both 
from  a  reliability  improvement  and  a  parts  count  reduction  stand  point,  to  use 
a  single-chip  microcomputer  (like  the  8048,  for  example)  instead  of  all  the 
discrete  logic  it  replaced.  When  the  studies  were  completed,  the  final  RAEEC 
design  choice  actually  comprised  six  processors:  the  main  CPU,  and  five  I/O 
processors,  as  shown  in  Figure  32.  This  system  became  a  distributive  processing 
array,  which  simplified  the  task  load  on  the  main  CPU.  Since  this  system  is 
actually  a  loosely-coupled  parallel  processing  array,  the  resulting  throughput 
is  far  in  excess  of  what  the  simplex  baseline  design  presented.  As  an  example, 
the  baseline  CPU  was  responsible  for  all  Built-In  Test  logic  required  to  check 
itself  and  all  interfaces;  however,  the  final  RAEEC  I/O  processors  will  now  be 
responsible  for  performing  their  own  Built-In  Test,  relieving  the  main  CPU  for 
other  tasks.  Another  example:  in  case  of  the  untimel.v  demise  of  the  main  CPU 
the  Dual-Port  Link  Alive  Processor  will  communicate  with  all  surviving  I/O  pro¬ 
cessors,  and  then  communicate  the  I/O  data  through  the  dual-port  link  to  the 
other  RAEEC  channel. 

The  computer  architecture  "Bottom-Line"  is  shown  in  Table  12.  This  summary 
presents  the  results  of  several  complete  CPU  trades  at  a  glance,  including  the 
final  RAELC  Single  Instruction  Single  Data  (SISD)  design.  The  reader  should 
note  that  the  Design  Recommendation  Computer  is  only  2.4%  better  in  reliability 
points  than  the  Basic  2901  computer,  but  the  final  RAEEC  design  recommendation 
computer  also  requires  24%  less  board  area,  and  requires  391%  less  power.  These 
other  factors  may  have  a  larger  effect  than  2.4%  on  the  final  design  than  nor¬ 
mally  expected,  since  junction  temperature  (and  reliability)  will  be  a  function 
of  board  area  (final  box  size)  and  the  power  dissipation  of  surrounding  compon¬ 
ents. 


3.4.15.1  Processor  Choice 

The  chosen  processor  is  a  12  component  3  chip  configuration  which  can  be  imple¬ 
mented  in  several  semiconductor  technologies  and  in  either  a  semi-standard  or 
custom  manner.  One  configuration  would  use  the  CMOS/SOS  HS  16/24.  A  second 
would  use  the  same  architecture  but  implemented  with  semi-standard  gate  arrays. 
The  gate  arrays  would  be  made  with  either  CMOS  or  t2l  semiconductor  technology. 
Selection  of  architecture  whicli  can  be  implemented  several  ways  provides  a 
freedom  to  select  the  final  technology  based  on  actual  strength  and  avail¬ 
ability  of  semiconductor  sources  rather  than  on  projections  of  such  sources. 

The  main  CPU  will  be  described  as  the  CMOS/SOS  HS  16/24  with  the  understanding 
that  this  might  be  implemented  with  CMOS  or  I^L  gate  arrays. 

The  processor  was  chosen  only  by  the  reliability  score,  (the  exact  same  scoring 
system  used  on  all  other  circuits),  but  could  have  been  chosen  on  other  merits 
as  well. 


100 


DATA  LINK 
TO/ FROM 
SECOMOARY 


ANALO;  (>R:vt 
TO  FIRbT  ? 
TOROUE  MOTORS 


ANALOG  DRIVE  TO 
NEXT  4  TOflOUE  MOTORS 
PLUS  4  REDUNDANT 
TOROUE  MOTORS 


E-4719 


FIGURE  32  RAEEC  DISTRIBUTIVE  PROCESSING 


TABLE  COMPUTER  ARCHITECTURE  "BOTTOM-LINE" 


CONVENTIONAL  PACKAGES;  DIPS,  FLATPACKS,  ETC. 


The  main  advantages  of  this  processor  over  others  considered  are: 


•  Best  reliability  score 

•  Lowest  power  dissipation  (320  milliwatts) 

•  Smallest  board  area 

•  Very  good  throughput  (  >666  KOPS) 

Custom  Processor 

Several  system  houses,  including  Hamilton  Systems  Division  of  Hamilton  Standard, 
have  been  forced  into  the  development  of  their  own  proprietary  custom  processors 
in  order  to  provide  a  military,  competitive,  minimum  component,  low  power 
machine  with  adequate  performance.  Hamilton  Standard  has  designed  its  own  CMOS 
Si  1 icon-on-Sapphire  processor  to  meet  the  system  needs  of  the  1980's  as  shown 
in  Figure  33.  It  is  designated  the  SOS  HS  16/24  since  it  can  be  configured  as 
a  3-chip  ^6-bit  machine,  or  as  a  4-chip  24-bit  machine.  The  custom  chip  set, 
when  configured  as  a  16-bit  parallel  machine,  comprises  one  "Control/Timing" 
chip  and  two  "B-bit  slice"  chips,  plus  five  standard  SSI  devices  and  four  de¬ 
coupling  capacitors.  These  12  components  dissipate  a  total  of  0.32  watts  and 

will  execute  the  fuel  control  instruction  mix  at  666  KOPS  when  configured 
with  MOS  RAM  and  ROM.  This  machine  easily  meets  the  "450  KOPS"  minimum,  and 
could  therefore  be  slowed  30%;  however,  by  the  time  that  a  RAEEC  system  flys, 
this  extra  capacity  may  be  required  for  future  tasks.  Please  refer  to  the  sum¬ 
mary  snown  in  Table  13. 

CPO  Architecture 

The  HS  16/24  CPU  is  a  flexible,  controls-oriented,  CMOS  LSI,  bit  parallel, 
fractionally  scaled  two's  complement,  combinational  logic,  state  machine.  De¬ 
signed  initially  for  either  16-  or  24-bit  word  lengths  (16  bits  for  fuel  con¬ 
trols  and  24  bits  for  navigational  computations),  it  may  be  operated  with  clock 
rates  from  0  to  1  MHz  (0  to  4  MHz  clock  input),  supply  voltages  from  0  to  -15 
VDC,  and  temperatures  from  -55°C  to  ■►125°C.  It  is  structured  as  shown  in  figure 
34  with  six  dedicated  registers,  a  program  incrementer,  an  arithmetic  logic 
unit  (AL'd),  all  "hard-wired"*  control  logic  and  timing.  The  CPU's  37  instruc¬ 
tions  are  aesigned  to  operate  with  a  microinstruction  controlled  cluck  which 
can  synclironously  vary  the  microinstruction  execution  times  betweeti  500  nanosec 
and  2.0  microscc,  allowing  all  instructions  to  be  executed  with  niaximuiri  speed 
efficiency.  Instruction  execution  times  are  also  minimized  via  overlapped 
Fetch/Lxf.’cute  cycles,  look-ahead  carry  in  both  arithmetic  unit  ana  ''egister 
unit  adders,  and  judicious  selection  of  all  register  transfer  paths  to  allow 
niultiple  register  trarisfers  to  occur  simultaneously. 


*  A  inicroprogranmab  le  control  store  was  designed  for  tliis  machine,  which 
unfortunately  cuiriprised  some  20  components  (including  5  ROMs),  which 
were  dee:iied  far  less  reliable  and  slower  than  the  hard-wired  control 
logic  whicfi  replaced  them. 


104 


FIGURE  33  THREE-CHIP  HS  16/24  MACHINE 


TABLE  13  SINGLE  INSTRUCTION  SINGLE  DATA  CPU 


FEATURE 

3-CHIP  HS  16/24 

IN  DEVELOPMENT 

if  OF  COMPONENTS 

12 

a  OF  SOLDER  JOINTS 

264 

BOARD  AREA  (IN^) 

10.0  (5.13*) 

CUSTOM  LOGIC 

YES 

MAX  THROUGH-PUT 

>666  KOPS** 

POWER  DISSIPATION 

.32  w  maximum 

RELIABILITY  RATIO 

226 

*  IMPROVEMENT  USING  LEADLESS  CARRIERS 

**  ALTHOUGH  MUCH  HIGHER  SPEEDS  ARE  OBTAINABLE  (1  "MIP"  FOR  2900  IS  COMMON  TODAY), 
THROUGHPUT  IS  LIMITED  BY  THE  RELATIVELY  LONG  300  ns  MEMORY  ACCESS  TIME. 


E-2646 


CPU  Hardware  Implementation 


The  digital  logic  required  to  implement  the  HS  16/24  CPU  design  was  partitioned 
into  two  different  custom  LSI  types.  A  total  of  three  of  these  LSI  devices 
are  required  for  the  complete  16-bit  processor  design:  one  Control  Logic/Tim¬ 
ing  CMOS  SOS  VLSI  module  (5E8065/10)  and  two  8-bit  Register/ALU  CMOS  SOS  VLSI 
modules  (5E8065/09). 


Register/ALU  Description 


The  arithmetic  logic  unit  performs  the  actual  execution  of  all  arithmetic  and 
logic  instructions.  An  arithmetic  instruction  always  involves  two  operands 
that  must  be  combined.  One  of  the  operands  is  specified  in  the  address  portion 
of  the  instruction  word  and  comes  from  memory  or  an  input  device.  The  other 
operand  is  already  in  the  A  register  of  the  arithmetic  unit  as  a  result  of  a 
previous  instruction.  The  operation  code  portion  of  the  instruction  word  spec¬ 
ifies  exactly  how  the  two  operands  are  to  be  arithmetically  or  logically  com¬ 
bined  . 


There  are  six  dedicated  16-bit  parallel  registers  associated  with  the  arithme¬ 
tic  and  register  units. 

CPU  Throughput 


The  performance  of  a  processor  may  be  measured  in  its  throughput,  or  given  a 
particular  instruction  mix,  the  maximum  number  of  instructions  that  it  will 
process  in  one  second.  While  on  the  other  hand,  the  figure  of  merit  of  a  pro¬ 
cessor  may  be  measured  in  its  throughput  per  watt  or  kops/watt,  where  kops  is 
thousands  of  operations  per  second.  The  instruction  mix  used  in  calculating 
throughput  is  derived  from  the  actual  program  used  in  a  recent  breadboard  de¬ 
signed  for  an  engine  fuel  control.  Based  on  this  mix,  the  predicted  throughput 
is  666  kops. 


Watchdog  T imer 


The  watchdog  timer  is  a  hardware  built-in  test  circuit  which  is  used  to  detect 
and  either  correct  or  flag  a  hung  CPU  condition.  Its  primary  function  is  to 
eliminate  any  infinite  looping  that  may  occur  as  a  result  of  a  lightning  dis¬ 
charge  or  other  abnormal  transient.  This  looping  condition  is  quickly  detected 
by  the  timer  as  the  timer  must  be  reset  by  the  CPU  after  each  CPU  control  loop. 
When  the  CPU  is  hung,  the  timer  is  not  reset  and  the  error  is  detected.  A 
reset  pulse  is  given  to  the  CPU  in  an  attempt  to  restart  it.  All  output  effec¬ 
tors  are  also  reset  at  this  time  and,  if  the  CPU  does  not  recover,  the  LRU 
fault  indicator  is  latched  and  the  secondary  is  notified  via  the  three  emergency 
fault-status  lines  that  it  is  now  in  full  control. 


3.4.15.2  Random  Access  Memory 

The  Random  Access  Memory  chosen  for  the  RAEEC  is  an  all  N-channel  RAM.  A  1024 
word  RAM  block  diagram  is  shown  in  Figure  35.  Table  14  summarizes  some  of  the 
RAM  design  features  from  the  trade  study  of  Appendix  A. 

3.4.15.3  Read  Only  Memory 

All  N-channel  ROM  was  selected  for  the  final  RAEEC  design.  Among  other  things, 
this  implementation  enjoyed  the  highest  reliability  rating  in  the  trade  study 
of  Appendix  A  (Table  15). 

3.4.15.4  I/O  Addressing  Logic 

Every  computer  system  requires  a  block  of  logic  for  special  addressing  func¬ 
tions,  such  as  input/output  interface  enables,  special  memory  enables,  and 
special  read/write  signals.  In  small  microprocessors,  this  logic  might  com¬ 
prise  a  group  of  LSI  chips  known  as  "Periferal  Interface  Adapters",  plus  a  few 
SSI  buffer  chips. 

The  final  RAEEC  I/O  design  (Figure  36,  Table  16)  is  the  same  ,'s  the  baseline's 
(Appendix  A).  This  combinational  logic  comprises  18  SSI  and  I'lSI  components 
for  implementing  this  function. 

3.4.15.5  Dual-Port  RAM 

The  "Oual-Port  RAM"  logic  is  possibly  the  most  critical  link  to  the  success  of 
the  RAEEC  program.  This  system  must  transfer  information  transparently  between 
the  two  processor  channels,  and  is  therefore,  referred  to  as  a  dual-port  RAM 
system,  since  each  processor  has  dual-port  like  access  to  the  other's  critical 
data.  The  actual  "D-P  RAM"  interface  design  involved  three  individual  trades; 
(a)  method  of  data  transmission  between  processors,  (b)  type  of  dual-port  logic 
to  be  utilized,  and  (c)  survivability  of  the  data  lif'k  in  the  event  of  a 
processor  failure. 

The  transmission  scheme  selected  in  the  trade  study  of  Appendix  A  is  serial 
transmission  of  word  data.  This  system  requires  the  fewest  number  of  lines  in 
each  direction;  one  if  single  ended  or  two  if  the  transmission  is  dual  differ¬ 
ential  to  avoid  potential  ambiguity.  Since  "UART"  devices  are  relatively  in¬ 
expensive,  MIL-qual if ied  and  multiple  sourced,  and  can  simultaneously  transmit 
and  receive  serial  data,  a  UART  was  chosen  for  this  purpose. 


105 


FIGURE  35  1024  WORD  RAM 


Wipwp'  ▼'"’f  ■"'"'""'SP*' 


TABLE  14 


i; 


2 


FEATURE 


#  OF  COMPONENTS 


#  OF  SOLDER  JOINTS 


BOARD  AREA  (IN^) 


PuWER  (WATTS) 


MAX  CYCLE  TIME 


MAX  ACCESS  TIME 


RELIABILITY  RATIO 


•k 


THE  CPU  THRU-PUT  WILL  LIKELY  BE  REDUCE 
BE  REQUIRED. 

T  USING  LEADLESS  CARRIERS 


**  IMPROVEMEN 


C  RAM  DESIGN 


RAEcC 

ALL  N-CHANNEL 


TABLE  15  RAEEC  ROM  DESIGN 


FEATURE 

ALL  ROC  (N-CHAN) 

f  OF  COMPONENTS 

14  1/6 

#  OF  SOLDER  JOINTS 

210 

OCARO  AREA  (IN^)  (1  )/(2) 

10.2/4.01 

POWER  (WATTS) 

0.87 

MAX  ACCESS  TIME 

300  nsVlOO  ns 

CUSTOM  MASK  REQD? 

YES  (4) 

PRODUCTION  RECOMMENDATION 

YES 

RELIABILITY  RATIO 

212 

(1)  AREA  USING  EONVENTIONAL  DIPS  (2)  AREA  USING  LEADLESS  CARRIERS 
*  "WAIT  STATE  KAY  BE  REQUIRED  FOR  I'.EMORY  REFERENCED  INSTRUCTIONS  (POTENTIALLY  REDUCING  KOPS) 
**  SOS  AND  CMOS  EXCITED  WITH  6  VDC 


E— 26  50 


CPU  I/O  BUS 


COMMAND 
CONTROL  LINES 

—) OUTPUT 

I  (OTA) 

INPUT 
(INA) 


CPU 


COMPUTER 

ADDRESSING 

LOGIC 


ADDRESSES 


#  OF  COMPONENTS 


18 


#  OF  SOLDER  JOINTS 

180 

BOARD  AREA  (IN^) 

S.74  (4.?3^) 

POWER  (WATTS) 

0.31 

CUSTOM  PARTS 

NO 

RELIABILITY  RATIO 

LCC  DIP 

307/302 

*  IMPROVEMENT  USING  LEADLESS  CARRIERS 


E' 


D-P  RAM  Logic 


Once  the  transmission  medium  was  selected,  the  actual  dual-port  RAM  logic  was 
developed  and  studied.  The  five  different  approaches  studied  are  described 
briefly  below: 

1 .  Real  Time  DMA  (Cycle  Steal) 

This  approach  provides  the  fastest  data  access  with  the  least  data 
transport  delay.  However,  it  requires  a  very  fast  memory  (^access 
<  100  ns)  so  that  one  machine  isn't  slowed  by  the  one  performing  the 
DMA,  and  it  requires  full  parallel  access  (all  16  bits  of  data)  to 
prevent  data  change  during  a  DMA  cycle. 

This  concept  has  the  advantage  of  being  transparent  to  both  CPU's. 

2 .  DMA  Block  Transfer 

This  concept  actually  involves  the  halting  of  a  machine  for  the  time 
it  takes  to  effect  a  complete  transfer  of  data.  Although  fast,  it  runs 
the  risk  of  an  additional  failure  mode,  whereby  the  transfer  logic 
could  paralyze  a  processor  by  holding  it  in  a  DMA  mode. 

3.  Asynchronous  Data  Transfer.  With  Handshake 

This  concept  requires  a  mail-box  latch  or  "FIFO"  (First-In,  First-Out) 
approach,  where  either  a  flag  is  monitored  or  a  data  ready  interrupt 
is  generated.  In  either  case,  extra  overhead  for  both  CPU's  is  re¬ 
quired  to  maintain  the  data  transfer.  (Refer  to  AM  2950  8  bit  parallel 
I/O  port,  Appendix  A. ) 

4 .  Virtual  Dual-Port  RAM 

This  concept  requires  that  several  off  the  shelf  dual-port  RAM's  be 
tied  together  to  make  a  large  enough  cache;  however,  this  system  pro¬ 
vides  a  real  time  data  transfer,  without  any  possible  interference 
between  the  two  machines. 

5.  Simulated  Dual-Port  RAM 


This  concept  provides  the  advantage  of  transparency  between  machines, 
but  adds  an  additional  data  transport  delay  which  is  a  function  of  the 
data  transmission  concept  utilized.  Data  is  accessed  on  a  cycle-steal 
DMA  basis  and  then  sent  serially  to  a  second  cycle-steal  DMA  interface, 
where  the  data  is  transparently  placed  into  the  second  machines  RAM. 


114 


This  was  the  concept  used  in  the  baseline,  which  was  improved  in  alternate 
design  #1,  shown  in  Figure  37  and  Table  17,  and  chosen  for  the  final  RAEEC 
design. 

Alternate  Backup  Modes  For  a  Failed  Processor  in  a  i^ual  Channel  System 

An  obvious  multiple  failure  situation  that  could  occur  and  would  result  in  a 
completely  inoperable  system,  if  link  operation  were  dependent  on  the  CPU,  is 
when  a  central  processing  unit  (CPU)  in  one  channel  fails  and  any  other  func¬ 
tional  block  in  the  other  channel  fails. 

The  real  choices  can  be  reduced  to  a  few  obvious  alternatives.  These  alterna¬ 
tives  all  consist  of  ways  of  providing  a  backup  capability  for  the  CPU  to  either 
provide  full  capability,  partial  capability,  or  conditional  capability.  By 
this  it  is  meant  tnat  full  capability  implies  that  the  backup  system  has  the 
same  level  of  performance  as  the  prime.  Partial  capability  implies  that  the 
backup  system  has  a  lesser  level  of  performance  than  the  prime.  Conditional 
capability  means  that  backup  capability  may  or  may  not  exist  depending  upon  the 
mode  of  failure  of  the  prime  and,  for  this  discussion,  that  if  backup  capabil¬ 
ity  can  be  provided  it's  performance  level  will  be  less  than  that  of  the  prime. 

The  tabulated  choices  include  the  following: 

1 ,  Full  Capability  Aackup  Using  an  Additional,  Idpntical  CPU 

The  advantages  of  this  approach  are  that  the  task  for  the  CPU  remains 
the  same  and  therefore,  does  not  entail  reconfiguration,  redefinition, 
or  alternate  modes  of  operation  which  would  involve  extra  firmware; 
it  also  allows  ooeration  with  no  degradation  of  performance.  The 
backup  system  is  also  allowed  to  remain  idle,  with  no  power  applied. 
Consequently,  the  backup  is  a  "cold  spare",  which  is  more  reliable 
having  accumulated  no  operating  time. 

The  disadvantages  are  that  the  approach  is  expensive  in  hardware,  and 
consumes  considerable  space.  See  Figure  38. 

This  microcomputer,  the  "link-d''ive  processor",  is  shown  with  the  dual-port 
logic  in  Figure  37. 

2 .  Conditional  Capability  Backup  Using  The  "Failed"  CP'd  at  Reduced 
(Performance  Capability 

The  advantages  of  this  approach  are  that  the  cost,  power  and  space 
requirements  are  less  than  those  of  the  first  alternative.  Switching 
is  not  involved  except  for  PROM  devices,  and  isolation  of  failed  hard¬ 
ware  is  a  software  rather  than  a  hardware  function.  Ihis  approach 
also  encompasses  memory  failures  (PROM)  since  a  separate,  reduced  per¬ 
formance  memory  replaces  the  main  memory  after  a  failure. 


11b 


FIGURE  38  FULL  CAPABILITY  BACKUP  USING  AN  ADDITIONAL,  IDENTICAL  CPU 


IK 


The  disaavantages  are  that  many  failures  will  make  the  CPU  completely 
inoperable  rather  than  providing  graceful  degradation  to  a  reduced 
performance  mode.  Software  error  detection  schemes  must  be  more  so¬ 
phisticated  and  therefore,  consume  more  memory  space. 

By  making  certain  assumptions,  the  last  alternative  yields  the  greatest  increase 
in  reliability  for  an  incremental  increase  in  redundancy  and  cost. 

One  of  these  assumptions  is  that  the  CPU's  performance  could  be  reduced  to  hav¬ 
ing  the  capability  to  do  basic  information  transfers.  Transfers  such  as  input¬ 
ting,  outputting,  register  to  memory  and  memory  to  register  operations  as  well 
as  a  single  conditional  skip  and  a  single  jump  operation.  This  rudimentary 
capability  was  assumed  to  be  adequate  for  a  minimum  performance  backup  CPU, 
Another  assumption  is  that  error  detection  be  limited  to  nonquantifying  deci¬ 
sions  so  that  any  failure  resulted  in  assuming  performance  capability  degrada¬ 
tion  to  the  basic  operations  discussed.  This  last  assumption  yields  a  large 
pay  back  in  the  reduction  of  the  sophistication  of  software,  the  amount  of 
diagnostic  software,  the  number  of  backup  modes  of  operation,  and  the  time  nec¬ 
essary  to  achieve  error  detection. 

An  investigation  at  the  circuit  level  revealed  that  approximately  60%  of  the 
transistors  on  the  chip  could  be  stuck  in  either  the  high  or  low  state  (these 
were  considered  one  at  a  time,  not  all  at  once)  and  an  operable  system  could  be 
maintained  if  limited  to  the  discussed  operations. 

This  approach  requires  that  the  failed  CPU  perform  extensive  diagnostics  on  it¬ 
self,  to  determine  which  instruction  has  failed,  and  to  branch  to  a  backup  1/0 
routine  which  does  not  contain  the  failed  instruction.  In  this  mode,  the  failed 
operable  CPU  provides  I/O  capability,  via  dual-port  RAM,  to  the  healthy  CPU, 
thereby  allowing  additional/multiple  I/O  failures  with  no  degradation  in  per¬ 
formance  (Figure  39) . 

3.  Partial  Capability  Backup  Using  a  Single-Chip  CPU 

The  advantages  of  this  approach  are  that  the  system  cost  is  less,  power 
is  less,  and  space  requirements  are  less  than  the  first,  or  second 
approach,  while  many  of  the  good  characteristics  of  both  are  retained. 
It  should  be  understood  that  in  this  discussion  the  single-chip  CPU 
includes  its  own  RAM  and  ROM  on  the  chip.  And  since  the  single-chip 
CPU  is  actually  a  stand-alone  microcomputer  it  is  only  dependent  on 
the  main  CPU's  Built-In  Test  output  for  its  operational  mode;  i.e., 
if  the  main  CPU  fails  its  instruction  test,  RAM  diagnostic,  or  ROM  sum 
check,  or  continuously  watchdog  times-out,  then  this  backup  CPU  will 
take  over  control  of  the  operation  of  the  dual-port  link, 


This  latter  approach  was  the  one  chosen  to  maintain  the  data-link  sur¬ 
vivability,  and  in  fact  is  referred  to  as  the  "link-alive"  processor. 
Its  two  main  functions  are: 


E-5693 


FIGURE  39  CONDITIONAL  CAPABILITY  BACKUP  USING  THE  FAILED  CPU 
AT  REDUCED  PERFORMANCE  CAPABILITY 


120 


(1)  To  service  the  dual-port  UART:  to  check  word  formatting,  parity, 
etc,,  and  to  self-test  the  link. 

(2)  In  addition  to  the  above,  if  the  Built-In  Test  logic  indicates 
a  failure  of  the  main  CPU,  this  machine  will  communicate  to  all 
I/O,  and  format  this  information  for  the  dual-port  link, 

3.4.15.6  Test  UART 

The  Test  UART  is  actually  only  used  for  ground  test  troubleshooting,  and  there¬ 
fore,  could  fail  and  never  cause  any  degradation  in  any  flight  mode.  Since  the 
baseline  test  UART  already  used  a  minimum  of  components,  the  only  possible  im¬ 
provements  would  be  to  use  leadless  chip  carriers  and  to  use  the  28  pin  USART 
instead  of  the  40  pin  UART  in  order  to  cut  back  on  solder  connections.  This  is 
the  final  RAEEC  choice.  Refer  to  Figure  40  and  the  trade  study  summary  shown 
in  Table  18. 

3.4.16  Low  Voltage  Circuit  Derating 

The  baseline  RAEEC  CMOS  logic  ran  exclusively  on  the  10  volt  power  bus  either 
to  achieve  adequate  performance  or  tc  be  compatible  with  CMOS  which  had  to  run 
at  10  volts.  For  example,  the  baseline  processor,  the  SOS  RAMs,  all  CMOS  buf¬ 
fers,  and  the  UARTs  were  operated  at  10  VDC.  Also,  in  the  interface  area,  all 
discrete  CMOS  control  logic,  the  six  custom  LSI  chips  (used  for  A/D,  R/D,  FREQ/ 
0,  and  SERIAL/D),  and  the  output  shift  registers  were  operated  on  the  10  volt 
power  bus. 

On  the  other  hand,  the  final  RAEEC  system  contains  no  CMOS  on  the  10  volt  bus 
except  for  the  SOS  HS  16/24  processor,  which  uses  the  10  volts  internally  for 
high  performance.  The  CMOS  SOS  HS  16/24  actually  operates  on  two  supply  volt¬ 
ages;  +10  VDC  for  internal  performance  and  +5  VDC  for  TTL  I/O  compatibility. 

With  this  architecture,  no  CMOS  anywhere  in  the  system  will  be  required  to  run 
on  10  VDC  except  for  one  4050B  (which  is  used  as  a  clock  buffer)  and  a  single 
two-input  NAND  gate. 

A  comparison  of  derating  factors  used  in  the  baseline  and  in  the  final  RAEEC 
systems  is  presented  in  Table  19.  The  design  change  from  100%  CMOS  operating 
on  the  10  volt  bus,  to  greater  than  90%  CMOS  operating  on  the  5  volt  power  bus 
will  result  in  a  significant  increase  in  RAEEC  CMOS  logic  reliability. 

In  the  linear  area,  all  the  baseline  RAEEC  design  operational  amplifiers  were 
powered  by  the  +14  volt  and  -14  volt  power  buses  for  two  reasons: 

The  14  volt  supplies  were  convenient  since  the  shunt  regulators  provided 
these  buses. 

Most  analog  signals  were  required  to  slew  to  either  plus  or  minus  10  volts, 
which  was  only  possible  if  the  amplifier  supplies  were  two  to  four  volts 
greater  than  the  range  of  operation. 


121 


TABLE  18  RAEEC  TEST  UART 


TABLE  19  CMOS  STRESS  DERATING  IMPROVEMENT 


Baseline  Design 

RATED 

VOLTAGE 

OPERATING 

VOLTAGE 

VOLTAGE 

STRESS 

5  Chip  Processor 

IIV 

lOV 

.91 

6  Chip  Interface 

nv 

lOV 

.91 

Discrete  CMOS 

18V 

lOV 

.56 

RAM  (SOS) 

18V 

lOV 

.56 

ROM  (TTL) 

7V 

5V 

.71 

UART  (CMOS) 

18V 

lOV 

.56 

Final  Design 

RATED 

VOLTAGE 

OPERATING 

VOLTAGE 

VOLTAGE 

STRESS 

3  Chip  Processor 

20V 

lOV 

.50 

N-Channel  &  80C48 

7V 

5V 

.71 

Discrete  CMOS 

18V 

5V 

.28 

RAM  (N-Channel) 

7V 

5V 

.71 

ROM  (N-Channel ) 

7V 

5V 

.71 

UART  (CMOS) 

18V 

5V 

.28 

124 


However,  there  are  CMOS  operational  amplifiers  on  the  market  today  (manufactL:''ed 
by  RCA  and  INTEL  for  example)  which  will  slew  rail  to  rail.  If  the  +  10  volt 
reference  supplies  were  n;ade  large  enough  to  handle  the  additional  (Tow  power 
by  the  way)  operational  amplifier  load,  then  the  two  14  volt  regulators  could 
have  been  deleted.  Also,  if  all  op-amps  were  run  on  +  10  volts  instead  of  +  14 
volts,  the  voltage  stress  would  decrease  and  there  would  be  an  accompanying" 
increase  in  reliability.  The  scope  of  the  program  did  not  permit  more  study 
in  this  area,  thus  the  14  volt  power  buses  were  used. 


125 


3.5  Mechanical  Design 


3.5.1  General 


The  preliminary  design  of  the  Electronic  Engine  Control  (EEC)  developed  under 
the  RAEEC  program  meets  the  goals  established  for  designing  a  highly  reliable 
fuel  control  for  operation  on  the  projected  Variable  Cycle  Engine  (VCE),  The 
controller  design  was  developed  using  the  baseline  design  with  all  the  mech¬ 
anical  features  upgraded  in  agreement  with  the  established  tradeoffs  conducted. 
Results  of  the  tradeoff  studies  are  presented  in  Appendix  B  .  The  baseline 
RAEEC  control  features  include:  1)  a  single  vibration  isolation  system;  2) 
fuel  cooling  and  external  pin  fins;  3)  conventional  printed  circuit  board/ 
metal  heat  sink  packaging  techniques;  and  4)  conventional  dip,  flatpack  and 
discrete  components.  The  final  RAEEC  control  employs:  1)  a  dual  vibration 
isolation  system;  2)  fuel  cooling;  and  3)  leadless  chip  carrier  (LCC)/alumina 
ceram'f  ackaging  technology.  All  of  the  highest  ranked  features  in  terms  of 
reliability,  as  determined  by  the  numerous  tradeoff  studies,  were  utilized. 
Below  is  listed  the  reliability  improvement. goals  for  the  various  packaging 
features  and  how  they  compare  to  the  actual  improvement. 


Goal 

Actual 

Interconnects 

1.3 

2.15 

Thermal  Environment 

2.3 

2.6 

Vibration  Isolation 

1.5 

2.25 

In  addition  to  the  established  goals,  gains  were  also  made  in  the  areas  of 
maintainability,  interconnect  design,  standardization,  producibility,  size, 
and  weight.  The  modularization  and  standardization  approach  employed  through¬ 
out  the  control  facilitates  testing  and  troubleshooting  at  key  intervals  of 
production,  and  also  enhances  product  maintainability. 


126 


3.5.2  Configuration  and  Installation 

External  features  of  the  control  were  designed  for  handling  and  installation 
using  published  human  engineering  guides  and  engine  fuel  control  design  exper¬ 
ience,  The  external  configuration  of  the  control  is  shown  in  Figure  41.  The 
final  RAEEC  control,  which  is  actually  two  controls,  has  a  basic  rectangular 
size  of  14.5  inches  X  10.9  inches  X  4.5  inches  'a  volume  of  711  cubic  inches), 
and  weighs  26.1  pounds.  As  a  comparison,  the  baseline  control  rectangular 
size  is  17.1  inches  X  9.75  inches  X  4.92  inches,  its  volume  is  800  cubic  inches 
and  it  weighs  30.0  pounds.  A  complete  weight  breakdown  is  presented  at  the 
end  of  this  section. 

The  control  is  mounted  with  four  straight  in  bolts  minimizing  mounting  toler¬ 
ances.  Connectors  are  oriented  horizontally  to  the  ground,  when  installed, 
to  prevent  contaminants  from  collecting  in  the  backshell  of  the  engine  harness 
connector  plugs. 

The  pressure  transducers  are  mounted  on  the  side  of  the  control  with  the  pres¬ 
sure  ports  facing  downward  to  prevent  moisture  ingestion.  The  control  is 
equipped  with  eight  electrical  I/O  connectors  polarized  to  ensure  proper  mat¬ 
ing  with  correct  cables.  Primary  and  secondary  test  connectors,  located  in 
the  rear  of  the  control,  are  equipped  with  protective  caps  for  on  engine  pro¬ 
tection.  The  six  pressure  transducer  pneumatic  lines  and  the  fuel  inlet  and 
outlet  hydraulic  lines  are  polarized  with  the  male  insert  which  is  normally 
installed  by  the  engine  manufacturer.  The  chassis  is  supplied  with  a  bond 
strap  in  accordance  with  MIL-B-5087B,  Class  L,  to  provide  effective  grounding 
of  the  control  against  lightning. 

The  bond  straps  attach  to  the  engine  with  #10-32  hardware.  Installation  and 
transport  of  the  control  is  facilitated  with  the  integrally  cast  handle  pro¬ 
vided.  Fuel  connections  are  made  in  the  rear  of  the  package. 


VJeiqht  Breakdown: 

Housings 

9. 

10 

lbs 

Interconnect  Modules 

5. 

25 

lbs 

Basic  Electronic  Modules 

7. 

00 

lbs 

Sensor  Electronic  Modules 

0. 

80 

lbs 

Pressure  Transducers 

1. 

30 

lbs 

Power  Supply  Modules 

0. 

65 

lbs 

Isolators 

2. 

00 

lbs 

Controller  Weight  = 

26. 

1 

lbs 

127 


E-^557 


FIGURE  41  RAEEC  PACKAGE  OUTLINE 


128 


3.5.3  Physical  Description 

3.5.3. 1  Modular  Construction 

The  RAEEC  Control  employs  modular  construction  throughout,  as  shown  in  Figure 
42.  Simplified  to  the  fullest,  all  modules  plug  directly  into  a  central  Inter¬ 
connect  Printed  Circuit  Board  Module.  This  modular  design  approach  facilitates 
sequential  testing  of  all  subassemblies  at  critical  stages  throughout  the 
build  to  assure  a  reliable  end  assembly.  Each  unique  module  has  been  standard¬ 
ized  as  much  as  the  package  restraints  would  allow.  This  feature  is  directed 
to  the  benefits  of  automated  assembly  techniques  and  attendant  increased  re¬ 
liability. 

3. 5. 3. 2  Module  Description 

Separation  of  the  housing  yields  two  major  modules  identified  as  the  Primary 
and  Secondary  Control  Modules.  Both  of  these  modules  are  similar  in  configur¬ 
ation  with  slight  differences  due  to  the  nature  of  the  total  system  redundancy. 
The  Primary  and  Secondary  Control  Modules  are  broken  down  into  their  unique 
sub-modules  as  follows: 


Sub-Modules 

Primary 

Secondary 

a.  Electronic  Module 

14 

14 

b.  Sensor  Electronics  Module 

4 

0 

c.  Pressure  Transducer 

3 

3 

d.  Discrete  Power  Supply  Module 

1 

1 

e.  Interconnect  Module 

1 

1 

The  building  and  test  stages  of  each  unique  sub-module  are  identified  below, 
along  with  a  description  of  each  sub-module's  detail  parts  and  subassemblies. 
Room  temperature  bench  testing  of  the  controller  in  a  closed  or  fanned-out 
condition  is  permissible  without  the  need  for  supplementary  cooling. 

3. 5. 3. 2,1  Electronic  Module  The  configuration  of  a  basic  Electronic  Module 
is  shown  with  its  mounting  platform  and  detail  parts  in  Figure  43.  The  heart 
of  this  module  is  the  alumina{AL2  O3)  circuit  substrate  with  a  multilayer  thick 
film  interconnect  system.  The  Electronic  Modules  were  designed  to  use  leadless 
chip  carriers  to  carry  the  active  circuit  chips.  Some  of  the  major  reasons 
for  selecting  this  electronic  packaging  approach  are:  size  and  weight  reduc¬ 
tions;  good  repairability  and  component  replacement;  preassembly  testing  and 
burn-in  capability;  accelerated  stress  test  capability;  package  ruggedness; 
improved  thermal  dissipating  properities;  and  improved  reliability.  Reliability 


129 


SECONDARY 
CONTROL  MODULE 


ELECTRONICS 
MODULE 


handle 


POWER  SUPPLY 
MOUNTING 
PLATFORM 

PRIMARY 

CONTROL  MODULE 


PRESSURE  SENSOR 
ELECTRONICS  MOOUI_E 


HOUSING 
GUIDE  POST' 


PRESSURE  TRANSDUCERS 
(ABSOLUTE' 

PRESSURE  TRANSDUCER 
(DIFFERENTIAL) 

FUEL  TRANSFER 
TUBE 

PRIMARY  SECONDARY 
INTERCONNECT 

T  EST  CONNECTOR 
COVER 

■PRIMARY  ISOLATOR 
SECONDARY  ISOI-ATOR 
BOND  STRAP 

PRESSURE  RELIEF  VAcVE 
PRESSURE  SENSOR  MANIFOLD 
iNTrPFACIAL  ' EMI  SEAL  E— 3633 


FIGURE  42  RAEEC  PACKAGE  CONFIGURATION 


130 


is  further  enhanced  by  the  capability  of  testing  at  both  the  component  pre¬ 
assembly  and  post-assembly  levels.  Accelerated  stress  testing  of  an  alumina 
ceramic  module  is  also  possible  with  the  omission  of  the  Module  connector  and 
the  use  of  high  temperature  solder  pastes  to  terminate  the  LCC  packages. 

The  alumina  substrate  in  the  Electronic  Module  is  one  standard  size  (2.5  in.  x 
4.5  in.).  The  base  substrate  is  0.062  thick  96%  AL2O3  available  from  a  variety 
of  manufacturers.  Low  substrate  camber  is  required  to  obtain  intimate  contact 
between  the  substrate  and  LCC,  as  well  as  the  substrate  and  aluminum  heat  ex¬ 
changer.  Camber  is  reduced  prior  to  screening  by  a  lapping  or  grinding  opera¬ 
tion.  Camber  due  to  screening  can  be  reduced  by  using  a  low  camber  dielectrical 
material.  The  finished  substrate  is  a  composite,  or  multilayer,  which  is  a 
ceramic  substrate  with  electrically  conductive  patterns  screen  printed  to  ^he 
base  substrate  in  layers.  The  layers  are  separated  and  insulated  by  high 
purity  ceramic,  and  interconnected  by  conductive  risers  or  vias  wherever  desired. 
The  whole  structure  is  sintered  to  form  a  monolithic  unit  that  is  strong,  her¬ 
metic,  chemically  inert,  dimensionally  stable,  and  thermally  conductive.  Maxi¬ 
mum  component  packaging  density  is  achieved  by  restricting  conductive  lines  to 
internal  layers. 

The  LCC  packages  can  be  attached  to  the  thick  film  alumina  substrate  circuit 
using  a  variety  of  techniques.  Regardless  of  the  heating  method  used,  the 
chip  capacitors  and  LCC  packages  are  attached  and  interconnected  by  a  reflow 
soldering  process.  Solder  is  applied  to  the  ceramic  circuit  as  a  screen  printed 
paste.  The  wet  solder  paste  holds  the  LCC  package  in  approximate  position  until 
the  solder  melts  and  floats  it  into  place.  Some  of  the  heating  methods  used  for 
reflow  soldering  are:  1)  selective  infrared  heating;  2)  special  soldering  tools 
now  being  developed;  3)  conventional  soldering  irons;  4)  localized  hot  air  heat¬ 
ing;  and  5)  vapor  condensation.  The  thick  solder  pads  on  the  LCC  and  ceramic 
substrate  are  of  the  same  size  and  location  which  facilitates  precise  alignment 
of  the  LCC  on  the  circuit  pattern  of  the  substrate.  The  solder  wicks  up  the 
metallized  patterns  on  the  sides  of  the  LCC  packages  and  petmits  visual  inspec¬ 
tion  of  the  electrical  connection.  The  bottom  surface  of  the  LCC  package  will 
be  metallized  and  soldered  to  the  substrate  for  better  mechanical  attachment 
while  providing  a  direct  path  for  heat  transfer.  Nickel  plated  chip  carriers 
and  circuit  substrates  are  very  resistant  to  solder  leaching  so  multiple  re¬ 
pairs  are  possible  with  no  solder  dewetting.  LCC  packages  can  be  reliably 
repaired  up  to  8-10  replacement  cycles,  which  far  exceeds  the  repair  capabilities 
of  conventional  printed  circuit  board/dip  packaging. 

The  module  connector  will  be  surface  soldered  in  the  same  manner  as  the  LCC's 
following  high  temperature  stress  testing.  High  strength,  high  temperature 
bonding  mechanically  fastens  the  coiinector  to  the  substrate.  Completed  ceramic 
assemblies  with  the  exception  of  the  connector  and  test  points  are  conformally 
coated  with  a  two-part  polyurethane  system  conforming  to  MIL-!-46058. 


132 


Electronic  modules  are  mounted  in  pairs  and  clamped  in  place  using  a  specially 
designed  spring  frame.  Constructed  of  a  phosphorous  bronze  material,  the  spring 
frame  exerts  only  enough  force  on  the  ceramic  substrate  assembly  to  sufficiently 
secure  it  in  the  projected  vibration  environment,  and  to  provide  good  heat  trans¬ 
fer  while  minimizing  the  stresses  in  the  ceramic  itself.  The  spring  frame  slides 
over  the  two  ceramic  substrates  and  is  held  in  place  by  two  fasteners.  An  elas¬ 
tomeric  heat  transfer  pad  is  molded  to  the  back  side  of  the  ceramic  substrate 
to  optimize  the  thermal  path  from  the  ceramic  substrate  assembly  to  the  module 
heat  exchanger.  The  material  hardness  and  pad  size  of  the  elastomer  is  designed 
to  minimize  the  applied  forces  deflecting  the  ceramic  substrate  to  a  level  con- 
sistant  with  the  clamping  forces  of  the  spring  retainer.  An  elastomeric  mater¬ 
ial  is  used  because  with  a  minimum  of  pressure,  it  flows  and  fills  the  microsur 
face  imperfections  on  the  metal  heat  exchanger  surface  with  a  resultant  minimal 
thermal  resistance. 

The  module  heat  exchanger  doubles  as  a  module  support  structure.  The  basic  sup¬ 
porting  structure  is  a  lightweight,  cast  aluminum  heat  exchanger  with  1/8  inch 
diameter  cored  fuel  passages.  This  structure  provides  the  mechanical  mounting 
accommodations  used  to  secure  the  Electronic  Module  rigidly  to  the  hou  nng  and 
connect  it  to  the  parallel  fuel  passages  within,  via  two  standard  "0"  ring 
sealed  bosses. 

3. 5. 3. 2. 2  Sensor  Electronics  Module  The  Sensor  Electronics  Module  utilizes 
the  same  design  approach  as  the  basic  Electronic  Module,  with  the  only  differ¬ 
ence  being  size.  The  alumina  substrate  size  is  a  standard  2.5  inches  x  3.0 
inches  for  the  four  sensor  substrate  assemblies.  These  modules  contain  all  of 
the  pressure  sensor  electronics,  including  the  redundant  sensor  characteriza¬ 
tion  PROMs.  The  purpose  of  this  remote  location  of  the  PROMs  is  to  minimize 
the  interconnects  related  to  the  miniature  pressure  transducers. 

3. 5. 3. 2. 3  Pressure  Transducers  The  RAEEC  control  contains  six  vibrating 
cylinder  pressure  transducers;  four  are  absolute  sensors  with  a  vacuum  reference 
and  two  are  differential  sensors.  The  design  is  similar  to  the  Hamilton 
Standard  miniature  pressure  transducer  product  line  with  some  modifications. 

The  modifications  result  from  the  redundancy  features  such  as  redundant  tem¬ 
perature  compensation  diodes,  redundant  coil  leads  and  redundant  PROMs  located 
on  the  Sensor  Electronics  Module. 

The  baseline  control  uses  the  larger  standard  size  pressure  transducers.  A 
miniature  transducer  was  developed  under  Navy  contract  based  upon  the  Hamilton 
Standard  larger  size  transducer  design.  Derivatives  of  this  are  presently 
used  in  HSD  engine  mounted  hardware.  Utilization  of  the  miniature  transducer 


133 


yields  a  41%  volumetric  size  improvement  and  a  38%  weight  improvement  over  the 
baseline  transducer.  The  six  transducers  are  mounted  to  the  fuel  cooled  con¬ 
trol  housing  and  electrically  interconnect  to  the  adjacent  Interconnect  Module. 
The  transducers  utilize  hard-wire  harnessing  and  plug-in  connectors  which  are 
equipped  with  jackscrews  for  ease  of  mating  and  separating  without  contact 
damage,  while  providing  good  mechanical  retention.  Severe  engine  control  en¬ 
vironments  and  strict  accuracy  requirements  have  limited  the  use  of  many  types 
of  pressure  transducers  whereas  the  vibrating  cylinder  type  used  in  this  design 
has  demonstrated  on-engine  capability  in  a  number  of  engine  control  applications, 

3. 5. 3. 2. 4  Power  Supply  Modules  The  Primary  and  Secondary  Control  Modules  con¬ 
tain  identical  Power  Supplies,  each  comprised  of  two  different  module  types. 

The  components  fall  into  three  distinct  categories:  1)  LCC  packages;  2)  power 
discretes  (large  capacitors  and  resistors,  TO-5  can,  etc.);  and  3)  magnetics 
(chokes,  transformers,  etc.).  The  LCC  components  are  packaged  as  a  single 
Electronic  Module,  like  the  type  described  earlier,  and  are  located  adjacent  to 
the  Discrete  Power  Supply  Module.  The  Discrete  Power  Supply  Module  contains 
all  the  remaining  electronics  associated  with  the  power  supply  circuit.  Con¬ 
ventional  printed  circuit  board  technology  is  utilized  here  because  of  the  style 
of  the  power  components  presently  available. 

A  high  performance  polymide  laminate  is  used  for  the  power  supply  module  multi¬ 
layer  interconnect  system.  Polyimide  ranked  highest  in  the  trade-off  studies 
when  compared  to  other  circuit  laminates.  High  glass  transition  temperature 
and  good  dimensional  stability  were  the  determining  factors  in  that  trade-off. 
Electronic  co.mponents  are  physically  and  thermally  mounted  to  a  metal  heat  sink 
and  electrically  attached  to  the  printed  circuit  board.  The  heat  sink  is  etched 
aluminum,  coated  with  a  dielectric  material  and  laminated  to  the  printed  circuit 
board . 

3. 5. 3. 2. 5  Interconnect  Module  The  Primary  and  Secondary  Control  Modules  con¬ 
tain  similar  Interconnect  Modules.  All  of  the  individual  sub-modules  contained 
within  the  control  are  interconnected  by  the  Interconnect  Module,  the  heart  of 
which  is  a  polyimide  multilayer  board.  The  Electronic  Modules  and  Sensor  Elec¬ 
tronic  Modules  plug  directly  into  the  Interconnect  Module  using  two-piece  con¬ 
nectors  equipped  with  *Hypertac''  contacts  which  feature  low  contact  insertion 
force,  low  contact  resistance  and  assured  electrical  continuity  under  shock  and 
vibration.  The  pressure  transducers  have  a  haro-wire  harness  anu  Hypertacc  con¬ 
nector  which  mates  with  a  corresponding  connector  on  the  Interconnect  board.  A 
flexible  molded  cable  soldered  to  the  Interconnect  Module  is  provisioned  with  a 
Hypertac^  connector  mating  it  to  the  Discrete  Power  Supply  Module,  The  mating 
halves  of  a  larger  Hypertac*^  two-piece  connector,  interconnected  to  each  mother¬ 
board  with  flexible  molded  cables,  provide  the  communications  between  the 


*  Hypertac'"  is  a  traderi.ark  of  Industrial  Electronic  Hardware  Corporation. 


134 


Primary  and  Secondary  Control  Modules.  The  I/O  connector/cable  assemblies 
include  flexible  molded  cables  terminated  and  potted  to  a  severe  environment 
resistant  MIL-C-38999,  series  III,  connector. 

This  design  approach  maximizes  reliability  by  employing  several  important  fea¬ 
tures,  Only  three  terminations  are  required  per  signal:  crimp  connection  at 
the  I/O  connector;  soldered  connection  to  a  one  piece  molded  connector;  and  a 
solder  connection  to  the  printed  circuit  board.  Progressive  strain  relief  is 
provided  at  both  ends  of  the  cable.  A  rigid  epoxy  and  elastomeric  fillet  system 
is  utilized  at  the  back  of  the  I/O  connector  and  at  the  printed  circuit  board.  Mo 
forces  can  be  transmitted  to  any  of  the  three  terminations.  The  1/0  connector 
is  secured  with  four  fasteners  to  the  housing,  and  the  one-piece  connector  is 
bolted  with  two  fasteners  tc  the  printed  circuit  board.  The  I/O  connector  con¬ 
tact  design  provides  multiple  contact  points  assuring  electrical  continuity 
under  high  vibration.  The  individual  I/O  Connector/cable  assemblies  can  also  be 
fully  tested  prior  to  being  soldered  to  the  multilayer  polyimide  motherboard. 

The  entire  Interconnect  Module,  like  all  other  modules  in  the  RAEEC  control, 
can  be  tested  prior  to  being  assembled  in  the  control. 

The  alternator  power  and  control  lines  are  hard-wire  twisted  shielded  triplets 
and  twisted  shielded  pairs,  respectively.  These  harnesses  mate  to  the  Power 
Supply  Module  thru  its  own  p1ug-in,  Hypertac'^  connector. 

3. 5. 3. 2. 6  Housing  Description  Each  major  control  module  (Primary  and  Secon¬ 
dary)  is  packaged  within  its  own  housing.  Both  housings  are  similar  one- 
piece  castings  with  stiffening  as  required  to  minimize  deflections,  and  with 
an  integral,  foixed  fuel  heat  exchanger  in  the  cuter  walls  to  cool  the  internal 
electronics.  The  housing  material  is  an  AMS  4218  (A356-T6)  premium  strength 
structural  investment  casting  having  a  MlL-A-8625,  type  1,  anodize  finish. 

Where  required  for  electrical  continuity  and  EMC  closure,  macliined  surfaces  are 
conversion  coated  per  MIL-C-5541  class  3.  Gun  drilled  fuel  passages,  sealed 
with  pin  plugs,  are  strategically  located  to  optimize  the  cooling  of  the  elec¬ 
tronic  modules,  power  supply  modules  and  sensors.  One  housing's  fuel  passages 
are  a  mirror  image  of  the  others,  utilizing  a  single  transfer  tube  to  transport 
fuel  from  the  primary  to  the  Secondary  Control  Module.  This  is  the  only  fuel 
line  separation  required  during  normal  maintenance.  All  other  fuel  containment 
is  within  drilled  passages  in  the  castings,  A  representation  of  the  salient 
feature  is  shown  in  Figure  44, 

Because  these  seals  are  involved  in  the  normal  maintenance  cycle,  the  control 
is  designed  such  that  a  failure  of  either  or  both  seals  will  result  in  leakage 
which  is  routed  through  the  drain  point  and  is  visil  le  externally.  In  the  event 
that  Ode  or  both  seals  leak  "slightly",  leakage  is  directed  overboard  without 
filling  the  cavity.  Thus  no  pressure  build-up  cun  occur  which  would  force  fuel 
between  clamped  housings  into  the  unit. 


‘•iTl'i  ri  lii  II  lifMin 


STANDARD  ‘O*  RING  SEAL  BOTH  ENDS 

CLAMPED  MACHINED  SURFACES 


OVERBOARD  DRAIN 
TRANSFER  TUBE 


FIGURE  44  OVERBOARD  DRAIN  SCHEMATIC 


E--6175 


In  the  event  that  one  or  both  seals  fail  completely  (left  out  at  assembly) 
the  leakage  rate  into  the  cavity  is  limited  by  the  annular  clearance  between 
the  transfer  tube  and  housings.  The  drain  hole  is  sized  to  drain  faster  than 
the  leak,  thus  precluding  pressure  build-up  and  forced  leakage  into  the  unit, 

This  is  mainly  a  convenience  feature  during  assembly  and  test,  in  that  fuels 
or  test  fluids  which  enter  the  electronics  area  are  of  nuisance  impact  only. 

In  service  on  the  engine,  fuels  which  might  otherwise  enter  into  the  electronics 
do  not  constitute  an  immediate  nor  immanent  failure  threat,  However,  gross 
exposure  to  impure  fuels,  with  temperature  cycling  and  sufficient  time  for 
absorption,  could  eventually  result  in  electrical  degradation  or  failure,  hence 
the  desirability  of  overboard  drain. 

The  mating  surfaces  of  the  housing  guide  posts  are  prepared  with  a  single 
machine  cut  and  seal  groove  and  are  included  to  guide  the  interwoven  modules 
when  mating  the  two  control  halves  and  to  precisely  align  the  guide  pins  of 
the  interface  connector.  A  cross-section  of  the  control  illustrating  the  need 
for  these  features  is  shown  in  Figure  45,  Other  housing  features  include  in¬ 
ternal  mounting  platforms  for  all  modules,  isolator  mounting  pads,  fuel  ports 
and  raised  cast  letters  for  identifying  all  external  interfaces.  Also  included 
are  an  integrally  cast  electrical  bond  lug,  a  sensor  pneumatic  manifold,  and  a 
handle  for  aiding  installation  and  transportation.  The  sensor  manifold  shown 
in  Figure  46  is  an  integrally  cast  part  of  the  housing  and  provides  the  sensor 
mounting  platform,  drilled  pneumatic  lines  and  external  pressure  port  bosses, 
which  are  machined  in  accordance  with  MS  33649. 


136 


POWER  SUPPLY  SENSOR 

l/°  INTERCONNECT  MOUNTING  POWER  SUPPLY  ELECTRONIC  TEST 


electronic 

MODULES  (TYP) 


E-3S95 


FIGURE  45  RAEEC  CONTROL  CROSS-SECTION 


E-3982 


FIGURE  46  PRESSURE  SENSOR  MANIFOLD 


3.5.4  Maintalnabi 1 i ty 

As  mentioned  in  the  modular  design  section  of  this  report,  the  plug-in  capabil¬ 
ity  of  each  and  every  module  has  been  a  major  contributor  to  the  maintainability 
improvements  of  this  control.  Beyond  interrogation  of  the  external  test  con¬ 
nectors,  the  first  step  for  maintenance  requiring  access  to  the  unit  interior 
is  separation  of  the  housing  modules,  ot  the  Primary  and  Secondary  Control  Mod¬ 
ules.  The  two  modules  are  connected  electrically  by  a  rectangular  connector 
which  separates  automatically  upon  separation  of  the  housings.  Guide  pins  are 
included  with  the  connector  to  insure  proper  mating  during  reassembly.  Guide 
posts  are  provided  as  part  of  the  housing  design  to  insure  safe  separation  and 
assembly  of  the  housing  modules  beyond  the  height  of  the  internal  electronic 
modules  while  also  serving  as  a  pre-guide  to  pick  up  the  connector  guide  pins. 

Disassembly  of  either  housing  module  is  performed  in  a  similar  manner.  Any 
sensor  or  functional  electronics  module  may  be  removed  without  disturbing  any 
other  module.  There  is  no  sequence  required  for  disassembling  these  modules 
from  the  Interconnect  board.  Replacement  of  a  ceramic  module  for  component 
replacement  can  be  accomplished  simply  by  removing  the  spring  retainer  held  in 
place  by  two  fasteners,  and  disengaging  the  electrical  connector.  Any  elec¬ 
tronics  module  (basic  or  sensor)  can  be  removed  individually  without  disturb¬ 
ing  any  other  feature.  There  is  no  need  to  ever  remove  an  electronics  module 
heat  exchanger,  except  to  facilitate  replacement  of  an  Interconnect  Module, 

If  necessary  the  heat  exchangers  can  be  taken  out  after  removing  the  four 
mounting  screws.  Seals  may  be  tested  by  plugging  in  the  transfer  tube  and  pres¬ 
surizing  the  inlet.  The  Power  Supply  Module  need  only  be  removed  if  component 
replacement  is  required,  since  test  points  are  accessible  to  permit  testing 
without  removal  from  the  housing.  If  necessary,  however,  the  power  supply,  can 
be  removed  by  disengaging  the  electrical  connector,  secured  by  jockscrews,  and 
removing  the  mounting  fasteners  securing  it  to  the  housing.  Removal  of  a  polar¬ 
ized  Pressure  Transducer  can  be  done  in  a  similar  fashion.  The  Interconnect 
Module  does  not  require  removal  under  normal  maintenance;  only  if  replacement 
is  necessary.  It  may  be  tested  in  place  after  removal  of  all  the  Basic  and 
Sensor  Electronic  Modules,  and  separation  of  the  Sensor  and  Power  Supply  con¬ 
nectors,  and,  if  necessary,  it  may  be  removed  and  replaced.  Removal  of  an 
Interconnect  Module  requires  removal  of  its  mounting  fasteners,  as  well  as  the 
I/O  connector  fasteners. 


130 


3.5.5  Environmental  Design 

3. 5. 5.1  General 


The  RAEEC  control  package  is  designed  to  provide  the  electronic  components 
with  the  most  benign  environment  practicable  for  the  projected  service  environ¬ 
ment.  Environmental  investigations  performed  by  both  Pratt  and  Whitney 
Aircraft  and  Hamilton  Standard  were  used  for  projecting  the  EMI,  theupal,  vib¬ 
ration,  shock  and  acoustic  environments.  The  basic  package  is  designrtd  a?  a 
sealed  unit  to  protect  the  internal  electronics  from  the  short  term  and  lung 
term  effects  of  humidity,  salt  and  fluids. 

A  pressure  relief  valve  is  used  in  the  design  to  avoid  the  significant  weight 
penalty  which  would  be  incurred  if  sufficient  rigidity  had  to  be  added  to  the 
module  to  enable  it  to  survive  the  full  differential  ambient  pressure  range. 

The  relief  valve  allows  a  maximum  pressure  differential  of  1.2  psid  between 
the  inside  and  the  outside  of  the  module.  The  degree  of  moisture  sealing  is 
really  dependent  on  the  function  of  the  pressure  relief  valve.  Th-is  valve 
is  presently  being  used  on  EECs  for  the  FIDO  engine  with  no  recognized  moisture 
problems. 

The  housing's  interfacial  seal  serves  a  dual  purpose:  in  addition  to  environ¬ 
mentally  sealing  the  control,  it  has  built-in  daracteristics  that  protect 
the  unit  from  the  effects  of  EMC  (electroma^'  c  compatabi 1 i ty ) . 

3.5. 5.2  EMC 

In  addition  to  circuit  design,  other  features  have  been  incorporated  into  the 
package  for  EMC  protection.  The  housing  seal  mentioned  previously,  is  an  EMC 
O'ring  gasket  molded  into  the  housing  flange.  Similar  gaskets  are  provided 
at  all  I/O  connector  locations.  The  alternator  power  and  signal  lines  inside 
the  control  are  twisted  and  shielded  to  .liminate  possible  interference  with 
electronics.  Secondly,  the  I/O  connectms  are  equipped  with  filter  pin  con¬ 
tacts  since  external  cable  shielding  aU  would  not  be  adequate  to  prevent 
high  frequency,  short  wavelength  suscepi  ility.  Finally,  3.5  inch  maximum 
bolt  spacing  and  0.06  inch  minimum  wall  t.iickness  are  being  used  to  optimize 
EMC  shielding. 

3. 5. 5. 3  Lightning 

Lond  straps,  located  at  each  end  of  the  package,  provide  the  control  with  suit¬ 
able  lightning  protection.  All  bonding  is  done  in  accordance  with  MIL-B-5087B, 
Class  L,  and  the  bond  strap  design  is  in  accordance  with  Mb  25083-2BB6. 

The  engine  manufacturer  must  also  terminate  the  bond  strap  to  the  engine  in 
accordance  with  the  surface  preparation  and  hardware  defined  in  M1L-B50875, 
Class  L.  The  bond  strap  is  constructed  o*  12  AWG,  stranded,  tinned,  copper- 
wire  rope  to  minimize  vibration  effects.  It  is  fastened  to  an  inti-grally  cast 
bond  lug  at  the  controller,  as  well  as  to  the  engine  case,  with  #10  fastener 
hardware . 


140 


3. 5. 5. 4  Thermal  Design 


I 


r 


e 


1 


i 


3. 5. 5. 4.1  Environment  The  RAEEC  control  has  been  designed  to  operate  at  the 
highest  reliability  levels  practicable  for  all  cases  described  in  Section  IV, 
Controller  Environment.  Pertinent  thermal  environment  data  has  been  reproduced 
in  Tables  20  and  21. 

Mounted  on  the  engine  fan  case  inside  the  nacelle,  the  controller  utilizes 
tank  fuel  for  cooling  the  internal  electronics.  Figure  47  is  a  schematic  rep¬ 
resentation  of  the  fuel  flow  through  the  control.  The  maximum  tank  fuel  tem¬ 
perature  (159*^F)  occurs  under  extreme  flight  conditions.  During  a  typical 
deep  strike  mission,  the  maximum  fuel  temperature  is  less  (114°F).  For  design 
conservatism,  the  analysis  presented  later  in  this  report  was  performed  using 
159°F  tank  fuel  with  a  flow  rate  of  200  PPH,  which  is  consistent  with  present 
system  capability.  The  tank  supplied  cooling  fuel  may  undergo  a  maximum  tem¬ 
perature  transient  from  155^F  to  O^F  during  air  refueling. 

For  the  present  F-15  aircraft  systems  there  exists  a  "no  fuel"  condition.  Under 
this  condition,  nacelle  air  flow  has  to  be  used  to  convectively  cool  the  con¬ 
trol.  The  baseline  control  falls  into  this  catagory,  which  is  why  pin  fins 
were  included  to  provide  non-critical  mounting  attitude  convective  cooling. 

The  F-16  and  VCE  systems,  as  well  as  the  new  F-15  systems,  provide  an  assured 
supply  of  fuel.  With  a  tank  fuel  sink,  as  in  the  RAEEC  system,  cooling  to  am¬ 
bient  is  not  required  and  the  heat  influx  from  ambient  air  is  minimal.  There¬ 
fore  cooling  fins  prove  ineffective  and  have  been  deleted, 

3. 5. 5. 4. 2  Cooling  Heat  transfer  to  and  from  the  exterior  of  the  package  is 
primarily  by  natural  convection  and  radiation,  witK  some  'effects  of  conductioi, 
through  the  mechanical  interfaces.  When  considering  convective  cooling  to  and 
from  the  nacelle  air,  the  effects  of  air  temperature,  pressure  and  velocity 
must  be  accounted  for,  but  since  the  velocity  is  unknown,  static  air  is  assumed 
for  conservatism.  At  flight  points  when  the  nacelle  air  temperature  is  high, 
the  corresponding  pressure  is  low,  minimizing  the  effect  ( J  P/14. 7  =  0.26). 

In  addition,  the  duration  at  high  temperature  (180°F  for  battlefield  interdic¬ 
tion  and  307®F  for  deep  strike  mission)  is  short.  Approximately  60%  of  the 
time  the  nacelle  air  will  be  cooling  the  package  during  a  battlefield  inter¬ 
diction  mission  and  about  90%  of  the  time  for  a  deep  strike  mission. 

Other  cooling  paths  include  radiation  to  and  from  the  engine  case  and  nacelle 
metal,  as  well  as  conduction  througF”the  mounting,  plumbing  and  wiring  inter¬ 
faces.  While  these  paths  are  mostly  beneficial,  that  is  they  tend  to  cool  the 
package  further,  in  those  instances  where  heat  is  added  to  the  control,  it  is 
directed  to  the  fuel  sink  through  the  housing  and  thus  negligible  heat  is 
transferred  to  the  components.  Internal  cooling  encompasses  all  three  modes 
of  heat  transfer;  conduction,  the  most  dominent  of  the  three,  is  heavily 
utilized.  Effective  conductive  cooling  has  been  achieved  with  every  module 


FIGURE  47  FUEL  FLOW  DIAGRAM 


1  AA 


being  directly  tied  to  the  central  housing  heat  exchanger.  Optimum  thermal 
paths  were  attained  by  using  individual,  ceramic  module,  forced  fuel,  heat  ex¬ 
changers  mated  in  parallel  fuel  paths  with  the  housing  heat  exchanger.  Also, 
each  power  supply  module  is  supplimented  with  an  aluminum  alloy  heat  transfer 
plate  mounted  in  direct  contact  with  the  main  housing  forced  fuel  heat  exchan¬ 
ger.  Components  are  strategically  located  to  match  the  resultant  thermal 
resistance  with  each  component's  power  dissipation  to  minimize  hot  spots  and 
maintain  a  close  average  temperature  between  components.  The  close  proximity 
of  the  components  to  the  fuel  minimizes  the  thermal  resistance,  and  consequently 
keeps  the  temperature  rise  from  the  component  to  the  fuel  low. 


3. 5. 5. 4. 3  Power  Dissipation  Internal  power  dissipation  for  the  RAEEC  control 
totals  57.4  watts.  This  is  a  2.48/1  reduction  in  the  baseline  control  dissipa¬ 
tion  of  about  200  watts.  Power  is  first  broken  down  by  Electronic  Modules  and 
summarized  in  Table  22.. 

3. 5. 5. 4. 4  Thermal  Analysis  The  thermal  analysis  conducted  includes  the 
determination  of  component  operating  temperature  for  the  following  cases:  1) 
LCC  components  [mounted  on  ceramic)  located  directly  over  a  fual  line;  2)  LCC 
components  located  centrally  between  two  fuel  lines;  and  3)  conventional  power 
supply  components  mounted  on  an  aluminum  heat  sink  with  fuel  lines  passing 
underneath.  Figure  48  and  the  equivalent  thermal  resistance  network  that  fol¬ 
lows,  describes  the  conductive  heat  transfer  paths  from  the  component  junction 
to  the  fuel  for  a  typical  ceramic  module. 


Condition  1:  Worst  case  fuel  supply  at  159°F 


Component  Power 

0.002  watts  (min) 
0.100  watts  (avg) 
0.250  watts  (max) 


Case  1 
159.04°F 

161.1  op 

164.4'’  F 


Case  2 

159.11°F 
163.3  °F 
N/A 


TABLE  22  POWER  DISSIPATION 


I 

I  . 

I 


I 


I 


: 

Functional 

Number  of 

Total  Power 

Circuit 

Ceramic  Modules 

Dissipation  (watts) 

Primary 

1 

Resolver 

2 

2.025 

Low  Level  Interface 

1 

.380 

A/D  Converter 

1 

1.340 

Speed 

1 

.681 

Torque  Motor  Driver 

2 

3.712 

Discretes 

1 

2.574 

Power  Supply 

2 

1.000 

Processor 

4 

3.890 

Total  Primary 

14 

15.602  watts 

1 

Secondary 

4t 

i 

1 

Resol ver 

2 

2.639 

Low  Level  Interface 

1 

.190 

1 

A/0  Converter 

1 

.670 

? 

Speed 

1 

.483 

(- 

Toi'que  Motor  Driver 

2 

2.344 

} 

Discretes 

1 

.683 

Power  Supply 

2 

1.000 

Processor 

4 

3.890 

. 

Total  Secondary 

14 

1 1 .899  watts 

i 

The  controllers  total  power  breakdown  is  as  follows: 

» 

Module 

Quantity 

Total  Power  (watts) 

1 

ii 

Primary 

Basic  Electronic  Module 

14 

15.602 

Sensor  Electronic  Module 

4 

3.000 

Power  Supply  Module 

1 

13.450 

Sub-total 

19 

32.052 

Secondary 

Basic  Electronic  Module 

14 

11.899 

Power  Supply  Module 

1 

13.450 

, 

Sub-total 

15 

25.349  watts 

Total  Controller 

27 

57.401  watts 

146 

CASE  1 

(COMP.  OVER  FUEL  LINE) 


CASE  2 

(COMP,  BETWEEN  FUEL  LINE) 


HEAT 

EXCHANGER 

COMP.  JUNCTION 
RjC 

Rs 

Ra 

THERMAL  RESISTANCE 
a  NETWORKS 

Rp 

R| 


Rf 

FUEL 

Nomenclature 

Rjc  -  chip  junction  to  case  resistance 
Rs  “  eutectic  solder  resistance 
Ra  -  Alumina  substrate  resistance 
Rp  -  thermal  pad  resistance 
Ri  -  Interface  resistance 
Ral  -  Aluminum  resistance 
Rf  -  fuel  to  housing  resistance 
P.cf  •  total  thermal  resistance  from  component  chip  to  fuel. 

FIGURE  48  CONDUCTIVE  HEAT  TRANSFER  PATHS 


fuel  fuel 

E-3986 


147 


Condition  2:  Average  fuel  supply  at  77°F 


Component  Power 


Case  1  Case  2 


0.002  watts  (min) 
0.100  watts  (avg) 
0.250  wattsn  (max) 


77.04°F  77.11°F 
79.10CF  81.30°F 
32.40^F  N/A 


N/A  =  Not  applicable 

There  is  one  device  on  the  Signal  Interface  circuit  that  dissipates  0.325 
watts  but  was  not  considered  a  worst  case  condilior  because  it  is  carried  in 
a  larger,  48  paa  LCC  package  with  a  significantly  lower  Rjc  than  the  24  pad 
LCC  package  dissipating  0.25  watts.  The  latter  was  therefore  chosen  for  anal¬ 
ysis. 


The  Power  Supply  Module  components  are  analyzed  using  conventional  methods  and 
the  kinds  of  temperature  rise  and  component  operating  temperatures  are  similar 
to  present  forced  fuel  cooled  controls.  Some  typical  high  power  components 
were  analyzed  and  the  results  are  summarized  below. 


Case  3 


1/4"  diameter  fuel  line 

Fuel  Temperature  =  159°F  max,  77°F  avg. 

*Fuel  Flow  Rate  -  200  PPH  (JP4) 

Components  mounted  on  heat  sink  directly  attached  to  housing  heat  exchanger. 


Component  type 


Transistor 
30  Bridge 
Capacitor 
Sensors 


Component  temperature 


Max  fuel  Avg.  fuel 


176°F  94°F 
1850F  103°F 
167°F  85°F 
187°F  105°F 


’  ecause  of  the  split  in  fuel  flow,  the  secondary  power  supply  gets  2C0  PPH 
but  the  primary  power  supply  gets  slightly  less. 

3, 5. 5. 5  Vibration  Design 

3. 5. 5. 5.1  Environment  Engine  test  data  shows  that  the  general  jet  engine  spec¬ 
ification  MIL-E-5007  and  MIL-STD-810  are  inadequate  for  the  successful  design 
of  an  electronic  control.  Based  on  the  VCE  fan  design,  using  current  engine 
test  data  as  a  reference,  the  VCE  vibration  levels  in  the  500  to  20,000  HZ 
range  at  the  electronic  control  location  are  predicted  to  be  above  the  military 


148 


specification,  with  respect  to  both  amplitude  and  maximum  frequency.  The 
predicted  vibration  environment  for  the  variable  cycle  engine  is  sho\wn  in  Figure 
49.  The  inputs  shown  on  this  curve  are  a  combination  of  all  worst  case  peaks 
at  all  speeds.  The  major  sources  of  high  vibration  levels  in  the  500  to  20,000 
HZ  range  are  the  fan  blades.  These  levels  vary  considerably  with  axial  location 
on  the  case.  The  electronic  control  receives  vibration  excitation  from  all  con¬ 
tacts  with  the  engine,  including  fuel  and  pneumatic  plumbing,  and  electrical 
cables  and  the  electronic  control  mounting  brackets.  There  have  been  signifi¬ 
cant  levels  of  vibration  attributed  to  electronic  control  fuel  plumbing  con¬ 
nections  which  bypass  the  control  mounting  bracket  isolation;  but  this  problem 
can  be  substantially  reduced  in  advanced  engines  by  proper  engine  and  plumbing 
design.  The  levels  of  vibration  expected  from  aircraft  fuel  tank  coolant 
source  design  is  less  than  lOG  and  v;ould  occur  at  frequencies  below  500  Hz, 

The  vibration  received  from  the  electrical  cables  is  inherently  sm^ll  because 
of  the  flexibility  of  construction.  Discrete-frequency  acceleration  and  dis¬ 
placement  levels  are  identified  in  Figure  50  for  fan  (Ef)  and  high  rotor  (E^) 
excitation  orders.  All  of  these  frequency  components  appear  simultaneously. 

At  20  Ef,  24  Ef  and  40Ef  the  radial  and  tangential  acceleration  levels  are 
760  G,  while  the  axial  acceleration  is  only  half  that  level.  In  the  low- 
frequency  range,  displacement  level  is  the  more  significant  indicator.  Add¬ 
itionally,  on  each  engine  design  and  in  each  position  on  the  engine,  some 
physical  features  are  more  influential  than  others. 

Vibration  inputs  to  the  control  therefore  are  defined  in  a  combined,  maximum, 
overall  form  in  Figure  49.  The  actual  instantaneous  vibration  is  more  like 
the  curve  per  Figure  51.  Similar  inputs  occur  at  all  engine  speeds  with 
frequency  and  peaks  shifting  with  shaft  speed. 

3.5,5. 5.2  Average  overall  response  Data  has  been  accumulated  from  the  FlOO 
testing.  The  worst  case  test  engine  data  involving  a  JFC90  control  was  selected 
as  an  average  response  level  for  reliability  calculations.  It  is  difficult  to 
express  component  responses  as  a  generalization  because  response  levels  vary 
with  input  and  with  location  within  the  control.  While  it  is  true  that  at  the 
isolator  frequency  the  control  package  is  a  rigid  body  mode  and  all  components 
experience  the  same  response  as  the  housing,  internal  vibration  must  be  consid¬ 
ered  since  the  internal  design  and  location  result  in  varying  responses  for 
different  locations.  This  can  best  be  shown  in  Figure  52. 


149 


Y  ACCELERATION,  ±  G 


FREQUENCY  -  HZ 


E-3983 


FIGURE  49  PREDICTED  VIBRATION  ENVIRONMENT  FOR  VARIABLE  CYCLE  ENGINE; 

HIGHEST  PEAKS  IN  FREQUENCY  SPECTRUM  AT  OUTER  ENGINE  CASE 
JUST  UPSTREAM  OF  DUCT  FLAMEHOLDER 


150 


2:  O  < 
□  z  5 
<  <  X 
q:  I-  < 


LJ  (/) 

o  z 

o  - 

< 


o  o  o  o 

O  O  «0  (O 

<vj  —  i~.  rv 


(»V3d)  “13A3“I  NOI±Va3"1300V  XfldNI 


o  o  o  o 
inmooooooQ 
r^rginmooomojo 

OOOOOOOOO 
Hl-l-l-l-l-l-l-l- 
1/100000000 
Ol/>rOOO9O(0O 
—  rocjOn>/'tO 
—  CM 


I1.XU.XULU-I1.I1.U. 

UJlkJlilUlUJliJUJliJLJ 

*-  eg  ^ 


UJ  J 

-m 

UJ  0 

1 

J  q: 

^  t 

>-  2 

3 

0  0 

UJ 

d 

J  u 

J 

• 

•3 

2  z 

S  0 

z  q: 

<  H 
>  U 

1 

3 

Q  J 

}liu 

J 

0  UJ 

Id 

-i 

a:  h- 

a.  < 

J 

0 

IT) 

UJ 

= 

m 

a: 

3 

0 

U. 

‘  ^ 

FREQUENCY  E— 1028 

FIGURE  51  INSTANTANEOUS  VIBRATION  CURVE 


E-402a 

FIGURE  52  COMPONENT  MOUNTING 


At  the  printed  circuit  board  resonances: 

-  Component  B  experiences  the  maximum  amplification 

-  Component  A  experiences  no  amplification  and  is  more  affected  by 
housing  deflections 

-  Component  C  experiences  an  amplification  somewhere  in  between 

An  approximation  suitable  for  comparative  purposes  is  obtained  using  an 
"average  overall  response",  which  is  an  RSS  (root  of  sum  of  the  squares) 
the  combined  worst  case  peak  responses.  Data  was  extrapolated  from  JF' 
testing  and  the  average  overall  response  for  various  mounting  con'  i,ions  are 
represented  in  Figure  53.  As  indicated  on  the  curve,  the  JFC90  crage  over¬ 
all  response  without  isolators  is  3?.  G  while  the  average  overall  response  with 
isolators  is  22.5  G.  The  isolators  that  were  added  were  only  partially  effec¬ 
tive  due  to  the  influence  of  the  plumbing  interfaces  which  was  not  reduced  by 
the  isolators. 

It  is  assumed  that  witn  a  single  isolation  system,  the  RAEEC  control  could 
duplicate  the  JFC  90  average  overall  response  curve  for  single  isolation  with¬ 
out  external  interfaces,  which  is  3.62  G's.  It  is  possible,  but  not  probable 
according  to  P&WA,  that  the  interface  effects  could  be  negligible.  It  is 


therefore  assumed  for  RAEEC  that  individual  peak  respoiise  levels  will  more 
realistically  be  about  50%  greater.  This  means  that  the  average  overall  re¬ 
sponse  for  the  RAEEC  control  with  single  isolation  is  approximately  5.43  G's. 

3.5.5. 5.3  Secondary  Isol ation  Secondary  isolation  is  less  effective  than  the 

primary  because  excitation  levels  are  lower.  The  estimated  average  additional 
attenuation  above  850  Hz  is  2;1.  Below  850  Hz  an  average  amplification  of  3:1 
is  realized.  The  resultant  average  overall  response  with  the  secondary  isola¬ 
tion  system  is  3.53  G's.  If  it  happens  that  the  primary  isolation  system  is 

less  effective  than  anticipated  and  the  attenuation  of  the  secondary  isolation 

■'Stem  is  4:1,  then  the  average  overall  response  would  be  2.6  G's, 

3. 5. 5. 5. 4  Design  Approach  The  ability  of  an  electronic  component  to  survive 

a  severe  vibration  environment  depends  on:  1)  component  internal  design;  2) 
component  mounting  configuration;  3)  resonant  frequency  of  the  printed  circuit 
board;  and  4)  acceleration  forces.  Component  physical  failures  are  usually  the 
result  of  high  cycle  dynamic  stresses  that  develop  because  of  the  relative 
motion  of  the  component,  its  leths,  and  the  printed  circuit  boar-d.  Relative 
motion  is  m-nst  severe  during  resonant  conditions  that  can  develop  in  the  com¬ 
ponent  part  or  the  printed  circuit  board.  There  are  only  two  variables  that 
can  be  manipulated  in  controlling  vibration  response:  frequency  and  amplitude. 

Frequency  tuning,  the  prime  feature  of  the  RAEEC  vibration  design,  is  carefully 
utilized  to  avoid  frequency  coupling  via  similar  resonant  frequencies.  The 
result  is  minimized  stresses  and  deflccticns.  Figure  54  is  a  plot  indicating 
all  of  the  basic  VCE  engine  resonant  frequencies.  The  resonant  frequency  of 
each  control  feature  is  tuned  outside  the  55-175  HZ  range  of  the  fan  and  the 
150-225  HZ  range  of  the  high  rotor,  since  these  are  the  most  threatening  due 
to  the  large  displacements  involved.  As  can  be  seen,  not  all  of  the  engines 
frequencies  cari  be  avoided.  The  engine  brackets  and  pressure  sensors  frequencies 
overlap  the  various  blade  passing  frequencies.  However,  the  displacements 
associated  at  these  high  frequencies  are  small  and  the  isolators  are  at  maxi¬ 
mum  ottenuation.  The  flexible  electrical  cables  and  the  primary  isolator  sys¬ 
tems  are  designed  with  frequencies  below  those  of  the  engine  shafts.  It  is 
desirable  uO  set  these  features  below  the  turning  spe  'o  that  vibration  will 
only  be  experienced  during  start-up  and  shut-down.  Ti  ^ondary  isolator 
frenuency  was  selected  between  that  of  the  external  inieri aces/plumbing  and  the 
engine  blades  for  moximum  effect.  All  other  features  were  frequency  uuned 
baseo  upon  their  inherent  capabilities.  The  electronic  mO'ules  are  supported 
in  the  center  of  the  printed  circuit  assembly.  The  ceramic  substrates  are 
relatively  rigid  and  have  a  flexural  modulus  several  times  greater  than  most 


plastics.  The  results  are  that  very  low  deflections  and  low  dynamic  stresses 
are  exerted  on  the  components.  In  addition,  the  leadless  chip  carrier  packages 
themselves  are  considerably  more  capable  of  wi thstandiiiy  vibration  than  dips 
because  of  the  inherent  stiffness  of  the  package  and  its  mounting. 

3.5. 5.5.5  Isolation  Design  The  primary  isolator  is  a  low  damped,  low  fre¬ 
quency  system  designed  for  maximum  attenuation  of  vibration  inputs  at  engine 
frequencies  (Figure  55).  The  higher  amplification  at  natural  frequencies 
is  acceptable  since  it  is  only  experienced  at  start  up  and  shutdown.  The 
isolator  is  a  steel  spring  with  wire  mesh  construction.  The  spring  provides 
most  of  the  spring  rate  with  some  added  by  the  wire  mesh.  The  wire  mesh, 
however,  provides  all  of  the  damping. 

The  secondary  isolator  is  a  high  damped,  high  frequency  system  for  minimum  amp- 
lifica^ion  at  resonance  with  agreeable  attenuation  at  higher  frequencies 
(Figure  55).  I':  is  a  lai:.inated  spring  steel  construction  with  viscoelastic 

inner  layers.  The  secondary  isolator  system  is  designed  to  work  only  in  the 
X  and  Z  axis  to  reduce  complexity.  As  mentioned  earlier,  the  axial  (Y-axis) 
inputs  are  only  half  those  of  the  tangential  (X-axis)  and  radial  (Z-axis)  input 
levels,  therefore  the  benefits  of  a  secondary  isolation  system  in  the  Y-axis 
would  be  negligible. 

3. 5, 5, 6  Acoustics 

Investigations  of  the  FIDO  engine  with  a  JFC  90  control  indicated  that  acoustic 
excitations  are  high  enough  such  that  the  response  at  the  components  may  not 
be  negligible.  However,  with  proper  controller  design,  the  levels  could  be 
made  insignificant  relative  to  acoustically  induced  fatigue  failures.  As  a 
comparison,  the  acoustic  environment  for  the  JFC  90  control  and  the  baseline 
control  is  the  same,  but  the  peak  vibration  response  at  the  printed  circuit 
boards  was  reduced  from  11  G's  on  the  JFC  90  to  3.3  6's  on  the  baseline  by 
improved  housing  design.  While  the  overall  acoustic  db  level  is  higher  for  the 
final  RAEEC  control  than  for  the  baseline  control,  the  acoustic  vibration 
response  at  the  components  in  the  RAEEC  control  has  been  further  reduced  through 
improved  housing  design,  the  ceramic  module  mounting  technique,  and  particularly 
through  the  inherent  stiffness  and  dan>ping  characteristics  of  the  ceramic  sub¬ 
strate  and  heat  transfer  pad.  The  alumina  substrate  has  a  flexural  modulus 
(or  stiffness)  20  times  the  modulus  of  conventional  printed  circuit  board 
laminates.  In  addition,  the  elastomeric  heat  transfer  pad  on  the  back  of  the 
substrate  serves  as  a  well  oamped  elastic  foundation  tor  the  substr^ate.  As 
a  result,  the  natural  frequency  of  the  ceramic  substrate  has  been  raised  to 
2500  H?  and  niqher.  At  the  housing  resonance,  narrow  band  acoustics  amplifies 
inside  the  package  to  an  estimated  maximum  of  2  G's  on  the  power  supply  boards, 
with  little  or  no  effect  on  the  ceramic  substrates.  At  the  natural  frequency 
of  the  ceramic  substrate,  acoustics  is  effectively  attenuated  by  the  housing 
such  that  the  response  at  all  component  locations  is  negligible. 


156 


I 


-  PRIMARY  ISOUkTOR  (LOW  DAMPED) 
SECONDARY  ISOLATOR  (HIGH  DAMPED) 


FIGURE  55  ATTENUATION  CHARACTERISTICS 


SECTION  IV  CONTROLLER  ENVIRONMENT 

4.1  Variable  Cycle  Engine  Simulation 

A  computer  simulation  of  the  VCE  was  used  to  define  the  physical  environment 
for  an  engine-mounted  electronic  controller, 

An  advanced  tactical  fighter  was  selected  for  the  analysis  because  it  repre¬ 
sents  a  typical  application  in  which  a  VCE  can  be  used.  For  this  aircraft  and 
typical  mission  profiles,  a  flight  envelope  was  defined.  The  flight  envelope 
was  used  to  estimate  the  extreme  environmental  conditions  which  the  controller 
would  experience.  The  mission  profiles  were  used  to  estimate  environmental 
points  during  typical  operation.  This  data  will  be  used  as  the  basis  for 
the  design  and  reliability  assessment  of  the  control. 

4.1.1  Aircraft  and  Engine  Selection 

An  advanced  tactical  fighter  was  selected  for  the  analysis  because  it  repre¬ 
sents  a  typical  application  for  a  VCE.  Mission  requirements  for  this  type 
of  aircraft  generally  include  a  significant  amount  of  supersonic  operation.  A 
variable  cycle  engine  can  be  designed  for  high  performance  at  both  subsonic 
and  supersonic  conditions.  The  cycle  would  be  varied  according  to  the  flight 
condition  to  provide  high  performance  at  all  flight  conditions. 

4.1.2  Mission  Profile  Selection 

A  battlefield  interdiction  mission  (Figure  56)  and  a  deep  strike  niipsion 
(Figure  57)  are  typical  requirements  for  an  advanced  tactical  fighter  and  are 
the  basis  of  this  study.  Both  missions  have  a  300-nirii  subsonic  radius  which 
consists  of  takeoff,  climb,  and  subsonic  cruise,  with  a  30-min  loiter  at  re¬ 
turn  to  base.  In  addition,  the  battlefield  interdiction  mission  has  a  15-min 
high  altitude  loiter  before  penetration.  The  altitude  and  Mach  number  of  the 
subsonic  cruise  out  and  back  are  optimized  to  pro''ide  maximum  range  per  pound 
of  fuel  consumed. 

Tlie  battlefield  interdiction  mission  has  a  lOC-nmi  penetration  radius  at  low 
altitude  and  low  supersonic  Mach  number  (20,000  ft,  Mach  1.5).  The  deep-strike 
mission  is  directed  at  enemy  supply  lines,  resulting  in  a  greater  penetration 
radius,  approximately  265  nmi.  After  an  acceleration  to  Mach  2.2,  the  aircraft 
climbs  to  an  altitude  that  provides  the  maximum  range  per  pound  of  fuel  con¬ 
sumed.  The  altitude  of  the  return  leg  at  Mach  2.2  is  also  optimized  for  max¬ 
imum  range  per  pound  of  fuel. 


158 


Cruise 
44,900  ft 
M  0.942 


E-4807 

FIGURE  56  ADVANCED  TACTICAL  FIGHTER  MISSION  PROFILE  (BATTLEFIELD 
INTERDICTION  MISSION) 


Penetration 
61,900  ft 


Subsonic  Supersonic 

^  300  nmi~~"  265  nml  ^ 

e  -4i;08 

FIGURE  57  ADVANCED  TACTICAL  FIGHTER  MISSION  PROFILE 
(DEEP  STRIKE  MISSION) 


4.1.3  Flight,  Envelope  Definition 

From  the  mission  requirements  and  engine  design  considerations,  the  flight 
envelope  was  defined  (Figure  58).  The  maximum  Mach  number  was  selected  to 
reflect  the  Mach  number  requirements  of  the  deep  strike  mission,  allowing  some 
margin  for  the  inlet  and  duct  heater  designs.  The  maximum  altitude  was 
selected  to  reflect  typical  combat  requirements. 

The  flight  envelope  represents  the  extreme  bounds  of  engine  operation  and  all 
realistic  operational  points  will  lie  within  this  envelope.  Points  10,  11, 
and  12  help  form  these  extreme  bounds  although  they  are  outside  the  realm  of 
realistic  operation. 

4.1.4  Simulation  Methodology 

To  determine  the  worst  operating  environment  that  the  controller  would  exper¬ 
ience,  the  VCE  simulation  was  executed  over  a  full  range  of  power  settings  at 
the  extreme  flight  conditions  defined  by  the  flight  envelope.  The  predicted 
controller  operating  environrrient,  under  these  conditions,  will  be  used  by 
Hamilton  Standard  to  define  the  controller  design.  The  simulation  was  also 
executed  at  typical  flight  conditions  defined  by  the  battlefield  interdiction 
and  deep  strike  missions.  The  predicted  engine  operation  at  these  conditions 
was  used  to  determine  the  controller  operating  environment  under  normal  usage. 
From  the  typical  environment,  the  controller  reliability  will  be  determined. 

Table  23  ('resents  the  predicted  engine  parameters  for  defining  extreme  environ¬ 
mental  conditions  that  the  controller  could  experience  within  tfie  limits  of 
the  flight  envelope.  The  flight  points  presented  in  Table  23  are  also  shown 
on  the  flight  envelope  in  Figure  58.  Flight  points  3  through  9  and  flight 
point  14  were  used  to  define  the  vibrational  loads.  High  rotor  speeds,  hence 
high  vibration  levels,  are  predicted  for  these  flight  conditions. 

At  these  same  conditions,  high  ram  air  temperatures  and  high  duct  flow  temper¬ 
atures  are  also  predicted.  This  results  in  high  thermal  loads  on  the  controller. 
A  cooling  scheme  which  uses  fuel  from  the  engine  boost  pump  presents  a  problem 
at  other  flight  conditions:  At  high  altitudes,  low  Mach  numbers,  and  low  power 
settings,  the  fuel  flow  to  the  engine  is  low  and  its  temperature  is  increased 
due  to  recirculation  through  the  boost  pump.  This  reduces  its  heat  sink  capa¬ 
bility  such  that  the  thermal  loads  at  these  conditions  (flight  points  1,  2,  10, 
11,  12,  and  15)  must  be  evaluated  and  reflected  in  the  controller  design. 

Tables  24  and  25  present  the  predicted  engine  parameters  at  typical  flight 
conditions.  The  tables  contain  these  parameters  tor  the  battlefield  inter¬ 
diction  and  deep  strike  missions,  respectively. 


160 


6 


4.2  Thermal  Environment 


4.2.1  Thermal  Environment  Definition 

Eor  the  thermal  environment  definition,  the  electronic  control  was  assumed  to 
be  in  an  installation  such  as  that  shown  in  Figure  59,  The  control  is  mounted 
on  the  engine  fan  case  inside  the  nacelle.  Nacelle  airflow  enters  through  a 
scoop  near  the  front  of  the  engine,  flows  across  the  electronic  control  and 
other  engine  components,  and  exits  near  the  exhaust  nozzle.  Mounted  in  this 
position,  the  electric  control  temperature  is  influenced  by  the  temperature 
of  the  surrounding  metal  surfaces  and  by  air  temperatures. 

The  nacelle  environment  was  predicted  for  the  electronic  control  mounted  down¬ 
stream  of  the  fan  and  upstream  of  the  duct  augmentor  flame-holders.  The  ther¬ 
mal  gradient  in  the  nacelle  is  negligible  between  these  two  points.  The  temp¬ 
eratures  of  the  nacelle  wall  metal,  outer  engine  case  metal,  and  nacelle  air 
were  calculated  using  the  VCE  siniulatiori  predictions  of  engine  parameters. 

These  calculations  were  derived  by  theoretical  relationships  and  were  based  on 
current  engine  test  data. 

The  predicted  engine  nacelle  thermal  data  presented  in  iable  26  were  calculated 
for  the  same  15  flight  points  defined  in  Table  23  .  This  data  was  tabulated 
to  predict  the  extremes  of  the  environmental  conditions  that  would  result  from 
operating  the  engine  at  the  limits  of  the  aircraft  flight  envelope.  Although 
the  flight  envelope  sets  the  limits  for  which  the  engine  may  be  operated.  The 
use  of  an  aircraft  in  the  assumed  mission  profiles  represents  a  more  realistic 
range  of  operating  conditions.  The  ambient  environment  resulting  from  opera¬ 
tion  of  the  engine  at  the  mission-related  conditions  is  tabulated  in  Tables  27 
and  28.  It  should  also  be  noted  that  the  sea  level  ground  idle  point  has  been 
included  as  a  mission  point  and  is  considered  a  realistic  part  of  the  aircraft 
mission. 

The  nacelle  environments  specified  in  the  tables  are  for  steady-state  opera¬ 
tion.  Because  of  a  transient  thermal  lag,  the  actual  temperature  levels  at 
the  higher  Mach  number  points  may  be  lower  than  the  steady-state  values  shown 
in  the  tables. 

The  predicted  engine  case  temperatures  in  the  tables  assume  a  titanium  honey¬ 
comb  construction.  If  the  electronic  control  were  mounted  in  an  area  of 
sheet  and  stringer  structure,  the  maximum  engine  case  temperatures  shown  in 
the  preceding  column  would  be  used  . 

4.2.2  Cool ing  Methods 

When  the  electronic  control  is  mounted  in  the  location  assumed  in  this  study, 
the  elevated  air  temperatures  and  surrounding  metal  temperatures  result  in 
the  requirement  to  cool  the  control.  The  use  of  fuel  as  a  cooling  medium  is 
well  established  in  current  engine  programs. 


165 


FIGURE  59  ELECTRONIC  CONTROL  MOUNTING  CONFIGURATION 


For  this  study  fuel  temperatures  were  determined  for  three  different  cooling 
fuel  access  points.  These  access  points  are  illustrated  in  Figure  60.  In 
the  first  cooling  method,  fuel  taken  from  access  point  A  at  the  aircraft 
boost  pump  discharge  upstream  of  the  aircraft  heat  exchanger  circulates  through 
the  electronic  control  and  returns  to  the  aircraft  fuel  tank.  In  the  second 
method,  fuel  taken  from  access  point  6  in  the  engine  fuel  supply  line  upstream 
of  the  engine  boost  pump,  but  downstream  of  the  aircraft  heat  exchanger,  cir¬ 
culates  to  the  electronic  control  through  a  motive  flow  system  using  an  ejector. 
The  ejector  motive  flow  is  created  by  the  pressure  rise  across  the  engine  boost 
pump.  Fuel  pickoff  point  B  must  be  located  far  enough  in  front  of  the  boost 
pump  to  prevent  fuel  temperature  elevations  caused  by  fuel  system  recirculation 
flow  to  the  boost  pump.  In  the  third  method,  fuel  taken  from  point  C  at  the 
engine  boost  pump  discharge  circulates  through  the  electronic  control  and  re¬ 
turns  to  the  boost  pump  inlet. 

Extendea  post-mission  operation  has  been  patterned  after  that  experienced  on 
the  F-15  fighter  aircraft.  The  bulk  of  ground  operation  is  experienced  in 
pre-flight  checks  (typically  30  minutes)  as  compared  with  the  shorter  post¬ 
flight  time  (10  minutes). 

The  fuel  temperatures  at  these  three  fuel  system  points  are  presented  for  each 
flight  point  in  Tables  26  through  28.  It  is  evident  that  tank  fuel,  point  A, 
is  at  a  significantly  lower  temperature  than  point  B  or  C  fuel  and  does  not 
vary  appreciably  from  one  flight  condition  to  another  as  does  point  B  and  C 
fuel . 

The  method  used  to  determine  the  fuel  tank  temperatures  was  developed  during 
the  Full  Authority  Digital  Electronic  Control  study  and  was  based  on  Air  Force 
report  AFAPL-TR-73-51 ,  Aircraft  Fuel  Heat  Sink  Utilizations.  This  method 
evaluated  the  fuel  temperature  level  and  contributors  to  fuel  temperature  rise 
or  decrease  at  each  step  of  fuel  handling  or  usage  from  ground  bulk  storage 
to  engine  combustor.  Initial  tank  temperatures  of  135''F  for  flight  envelope 
conditions  and  80°F  for  mission  profile  studies  were  assumed.  Heating  and 
cooling  rates  for  the  tank  fuel  over  the  flight  envelopes  and  mission  profiles 
were  calculated  using  a  time  constant  estimated  from  F-4C,  F-5A,  and  F-lllA 
aircraft  inflight  temperature  profiles  presented  in  report  AFAPL-TR-73-51. 

Point  "A"  maximum  column  reflects  the  maximum  temperature  of  the  fuel  in  the 
aircraft  tank  after  a  12  minute  duration  at  each  flight  condition  in  Table  26. 
The  12  minute  duration  was  used  to  correlate  the  time  at  the  extreme  flight 
envelope  temperature  with  the  time  duration  expected  at  high  Mach  conditions 
in  the  mission  requirements.  At  each  flight  condition  given  in  Table  26,  the 
initial  tank  temperature  was  assumed  to  be  135"F  which  is  *he  maximum  tank 
temperature  recorded  in  current  engine  aircraft  fuel  tanks  on  the  ground  on 
extreme  hot  day  conditions. 


170 


I 


FIGURE  60  COOLING  FUEL  ACCESS  POINTS 


The  Point  "A"  average  column  reflects  the  temperature  cf  the  fuel  in  the  air¬ 
craft  tank  after  a  12  minute  duration  at  each  flight  condition  in  Table  26, 
assuming  an  initial  temperature  of  SO^F  as  an  average  aircraft  fuel  tank  temp¬ 
erature  on  the  ground. 


The  tank  temperature  provided  in  Tables  27  and  28  for  Point  "A"  are  the  temp¬ 
eratures  existing  in  the  fuel  tanks  as  a  result  of  operating  the  aircraft 
through  the  mission  profiles  used  in  the  study. 


For  this  study,  it  was  assumed  the  shaft-power  requirements  of  the  aircraft 
wore  met  with  an  engine-driven  aircraft  mounted  gearbox  (as  in  the  F-15  and 
F-16).  The  heat  rejected  from  that  gearbox  is  imoarted  to  the  aircraft  fuel 
tiu'ough  an  aircraft  mounted  heat  exchanger.  This  heat  load  that  is  recirculated 
by  the  aircraft  fuel  handling  system  is  the  major  contributor  to  fuel  temper¬ 
ature  rise  in  the  fuel  tanks  and  to  the  elevation  of  fuel  temperature  between 
the  fuel  tank  supply  at  Point  "A"  and  the  engine  boost  pump  inlet  Point  "B". 


1 


*■. 

I 

i 


The  fuel  temperature  as  supplied  to  the  electronic  control  from  access  point 
B  was  based  on  the  temperature  of  the  fuel  upstream  of  the  engine  boost  pump. 
This  fuel  has  a  temperature  elevated  above  that  of  the  fuel  tank  supply  temper¬ 
ature  as  a  result  of  the  addition  of  heat  from  the  aircraft  neat  exchanger. 

This  temperature  is  a  function  of  climatic  conditions,  tank  temperatures,  rris- 
sion  points,  and  the  extent  to  which  the  aircraft  uses  the  fuel  heat  sink  capa¬ 
bility.  The  maximum  temperature  of  this  fuel  supplied  to  the  engine  is  a  nego¬ 
tiated  specification  depending  on  engine-aircraft  application  and  is  controlled 

by  the  aircraft  fuel  management  system,  to'-  this  study,  tne  maximuni  limit  wa^ 

set  at  200'F  based  on  current  engine  applications. 

The  temperatures  tabulated  for  access  point  C  boost  pump  discharge  cooliiio  fue^ 
are  elevated  above  the  point  B  cooling  loop  by  the  temperature  '^ise  of  the 
boost  pump.  This  temperature  rise  is  a  function  of  fuel  pump  design  i.e., 
efficiency,  flow  curves,  and  pump  bearing  cooling  flows).  Since  this  study 
does  not  address  pump  design,  the  data  for  the  engine  ooost  pumo  temperature 
rise  was  based  on  existing  test  data  for  state-of-the-art  pumps. 

The  mission  profile  environmental  data  reflects  ambient  air,  metal, and  fuel 
temperatures  at  steady-state  engine  operation  at  the  specified  flight  condi¬ 
tion.  However,  the  tank  supplied  cooling  fuel  may  undergo  teiiiperaiu''e  trans¬ 
ients  during  air  refueling.  The  maximiuni  change  would  be  from  13B^  to  O'^F. 
Engine  supply  fuel  temperature  transients  of  200'  to  180'F  in  2.5  sec  during 
power  lever  transients  are  typical.  The  total  simultaneous  ambient  pressure 
and  temperature  changes  may  be  as  much  as  6  psi/min  and  lO'F/sec. 

The  primary  fuel  usea  to  cool  the  control  will  be  fuel  conforninc  to  o*'  having 
the  variations  in  characteristics  permitted  by  nlL-T-5624,  Grade  JP-4.  /Alter¬ 
nate  fuels  are: 


172 


iwawiwi»‘ni"  I  ly 


•  MIL-T-5624,  Grade  JP-5  (12  centistokes  or  less) 

•  ASTM  Types  A  and  B 

•  NATO  Fuel  No.  F-40  and  F-44  (equivalent  to  Grades  JP-4  and 
JP-5,  respectively). 

These  fuels  may  also  contain  anti-icing  additive  conforming  to  MIL-I-27686 
and  added  in  the  same  concentrations  as  specified  for  the  primary  fuel. 

4.2.3  Moisture 

The  types  of  moisture  which  the  electronic  control  would  be  exposed  to  are 
humidity,  condensation  and  precipitation. 

The  humidity  would  affect  the  control  during  temperature  changes  which  could 
condense  the  moisture  out  of  the  air  and  deposit  it  on  the  interior  and  ex¬ 
terior  surfaces  of  the  control.  The  most  common  occurrence  of  condensation 
would  be  in  a  huniid  tropical  climate  when  the  nighttime  temperature  drops  the 
air  temperature  to  the  dewpoint  causing  condensation  of  the  water  vapor  in  the  - 
air.  Typically  on  a  95''F  day  with  a  relative  humidity  of  75%  the  dew  point 
would  be  reached  py  lowering  the  temperature  to  85''F.  At  this  point  the  air 
would  have  an  absolute  humidity  of  .0.026  lbs.  of  moisture/lb.  of  dry  air  which 
is  about  13  grains  per  cu.  ft. 

The  condensation  of  water  vapor  on  the  control  and  penetration  into  the  con¬ 
trol  could  also  occur  as  a  result  of  altitude  change  and  temperature  change 
of  the  air  surrounding  the  EEC  in  the  nacelle.  The  worst  case  temperature 
and  altitude  cycle  during  an  aircraft  mission  would  occur  during  take-off  and 
landing  in  a  tropical  climate.  Assuming  a  95®F  day  with  a  relative  humidity 
of  95%  the  air  around  the  control  has  a  specific  humidity  of  .035  at  29.9  in. 

Hg.  The  aircraft  would  take-off  and  climb  to  an  altitude  of  approximately 
38,000  feet  where  the  specific  humidity  would  be  less  than  .001  at  a  tempera¬ 
ture  of  -I'F  and  pressure  of  6.1  in.  Hg.  at  cruise  power.  The  specific  humid¬ 
ity  would  vary  with  altitude  during  the  climb  as  shown  by  Figure  61.  During 
the  remaining  part  of  a  mission,  the  aircraft  would  remain  at  high  altitude 
conditions  and  low  humidity.  The  aircraft  would  then  complete  the  mission  by 
landing  during  a  5  minute  descent  from  the  low  humidity  high  altitude  condition 
to  the  95°F,  95  percent  humidity  condition  assumed  initially. 

The  above  humidity  cycle  during  normal  operation  and  mission  cycle  does  not 
consider  the  area  of  moisture  due  to  precipitation.  Since  the  aircraft  must 
operate  in  most  weather  conditions,  the  area  of  rainfall  must  be  considered. 
Although  the  control  is  located  inside  the  airframe  or  nacelle,  it  is  not 
completely  sheltered  from  the  moisture.  The  nacelles  are  typically  purged 
with  outside  air  by  air  scoops  or  an  ejector  system.  For  the  worst  case 
application  we  can  assume  that  the  liquid  water  content  in  the  nacelle  is  the 
same  as  in  the  outside  air. 


173 


Although  the  intensity  of  precipitation  varies  frorri  storm  to  storm  and  within 
the  same  storm  cell,  models  have  been  developed  esti"iatinc  the  extremes  in 
the  tropics.  These  extremes  were  calculated  by  extrapolating  sui'face  climato¬ 
logical  intensities  with  known  probabilities,  by  employing  recorded  extremes 
aloft  and  by  utiliiiing  research  information  from  meteorologists  specilizing 
in  cloud  physics  and  radar  meteorology.  These  extremes  are  published  by  the 
Air  Force  Cambridge  Research  Laboratories  (AFCRL)  in  Reference  4.  Table  29, 
taken  from  the  reference  presents  precipitation  extremes  at  sea  level  and  aloft 
that  are  exceeded  with  an  Overage  probability  of  0.5  and  G.l  percent  in  the 
rainiest  tropics  during  the  rainiest  months.  In  Table  29  the  0.5  percent  sur¬ 
face  precipitation  range  of  0.80  millimeters  per  minute  and  its  corresponding 
2.22  grams  of  water  per  cubic  meter  {g/mSl  of  air  was  calculated  using  weatlier 
records  for  several  locations  in  the  rainy  tropics.  The  0.1  per  cent  probable 
extreme  at  the  surface  was  calculated  using  the  weather  record  for  Cherapunji, 
India,  the  station  with  the  world's  greatest  rainfall  amount. 

If  an  aircraft  penetrates  a  0.5%  worst  precipitation  area  "on  the  deck",  it 
would  experience  a  liquid  water  content  of  only  2.22  gm/m3  by  niaking  the 
assumption  that  no  clouds  occur  on  the  deck.  At  1.5  kilometers,  about  5,000 
feet,  it  would  experience  4.56  gm/m  (orecipitation  plus  clouds).  The  moisture 
level  would  peak  at  about  4.5  to  6  kilometers  (about  15,000  tu  20,000  feet) 
at  5.47  gT./m3 .  The  same  type  scenario  can  be  made  for  the  C.1%  probability 
area.  It  should  be  noted  that  the  liquid  water  contents  are  lowest  at  sea 
level  and  above  20,000  feet. 

The  AFCRl  data  is  Suniinar  i  zed  in  Table  3C  piov'idiug  pt  ec  i  u  i  ta  I  ion  liquid  water 
amounts  in  gm/m3  and  percent  water  to  air  by  weight  ratio. 

Another  source  of  moisture  to  the  control  would  be  in  the  form  of  cleaning 
solution  used  to  wash  down  the  engines.  The  engine  arid  all  the  components 
are  spray  washed  with  a  P086O  or  PD880  petroleum  distillate  cleaning  solution. 
This  is  done  on  a  random  basis  as  needed.  During  the  engine  wash  down  the 
C'-ntrol  and  associated  connectors  are  completely  wetted  with  the  solution. 

4.2.4  Fuel  and  Oil  Resistance 

The  environment  inside  the  'lacelle  is  normally  purged  by  ducting  outside  air 
into  the  nacelle  (See  Figure  59).  The  airflow  will  keep  the  duct  purged  of 
fuel  and  oil  vapors  during  engine  operation.  The  electronic  control  and  its 
electrical  connectors  will  be  operating  in  an  area  where  engine  fuel  or  oil 
spills  could  occur  and  therefore  must  be  compatible  with  engine  fuels  (XIL- 
T-6625,  JP-4  and  JP-5)  and  lubricating  oil  {MIl-L-7808  and  MlL-L-23699 ) . 

Lab  analyses  of  deposits  from  outside  cases  of  current  engine  electronic  con¬ 
trols  show  trace  amounts  of  petroleum  distillates  used  in  engine  wash  downs. 

The  electronic  control  is  completely  wetted  with  these  cleaning  solutions  ano 
must  therefore  be  designed  to  be  compatible. 


TABLE  29  LOW  PROBABILITY  MODELS  OF  PRECIPI TATIOM  RATES  AND  LIQUID  WATER  ALOFT 


TABLl  30  SUMI-'.ARY  OF  LIQUIi!  WATlU  CONTENT  AT  ALTITUDE 


(SIESENWINE,  AFCRL-72-0369,  1972) 


VALUES  EXCEEDED 

■■ 

THESE  VALUES  EXCEEDED 

,  1  AN  AVERAGE  PROB- 

WITH  AN 

AVERAGE  PROB- 

ALTITUDE 

ABILITY  OF 

.5  PER  CENT 

ABILITY 

OF  .1  PER  CENT 

KM 

FEET 

3__ 

WW  , 

9 

WW  ^ 

CU.M 

WA 

CU.M 

WA  ^ 

0 

0 

2.22 

.18% 

8.35 

.88 

4.5 

14760 

5.47 

.5  % 

20.96 

2.69 

6 

19680 

5.47 

.83% 

20.96 

3.2 

9 

29520 

3.12 

.67% 

11.85 

2.53 

15 

49200 

.78 

.4  % 

3.03 

1.55 

7 


4.3  Vibraticn,  Acoustic,  and  Impact  Environment 
4.3.1  Vibration  Environment  Definition 

One  area  of  tiie  electronic  control  environment  that  has  exhibited  considerably 
more  hostile  conditions  than  were  predicted  by  military  specifications  is  tne 
vibration  environment.  Engine  test  data  shows  that  vibratory  acceleration  levels 
in  the  hi gli- frequency  range  are  significantly  higher  than  specified  in  MIL-STD- 
810B.  Based  on  the  VCE  fan  design,  using  current  engine  test  data  as  a  ref¬ 
erence,  the  VCE  vibration  levels  in  the  500  to  20,000  Hz  range  at  the  elec¬ 
tronic  control  location  are  predicted  to  be  well  above  the  military  specifica¬ 
tion,  with  respect  to  both  amplitude  and  maximum  frequency  (See  Figure  62). 
Vibratory  acceleration  in  this  range  was  determined  from  fan  pressure  ratio, 
fan  blade  numbers,  and  fan  tip  speed.  The  major  source  of  high  vibration  levels 
in  the  500  to  20,000  Hz  range  is  the  fan,  and  the  VCE  fan  shows  an  increase  in 
fan  pressure  ratio  and  fan  tip  speed  over  current  engines.  These  fan-induced 
high-frequency  vibration  levels  (Figure  62)  are  strongly  influenced  by  axial 
iocation  of  the  control  on  the  engine  case.  Vibration  levels  in  the  500  to 
20,000  Hz  range  would  be  20*  higher  if  the  control  were  located  on  the  fan  case 
and  30%  Icwer  than  shown  in  Figure  62  if  located  in  the  immediate  vicinity  of 
the  rear  engine  mount  (Figure  63).  The  potential  exists  for  localized  vibra¬ 
tion  levels  being  reduced  due  to  specific  engine  design.  However,  these  reduc- 
tionb  cannot  be  anticipated  because  the  engine  definition  utilized  for  this 
study  is  effectively  an  aerodynaniic/thermodynamic  model. 

Low-f requency  vibration  (10  to  500  hz.  Figure  6?)  is  dominated  by  high  rotor 
and  low  rotor  excitations.  Vibration  acceleration  level  in  this  range  is  not 
a  function  of  axial  location  along  the  engine  case. 

Oi screte-f requency  acceleration  and  displacement  levels  are  identified  in 
Figure  04  for  fan  (Ep)  and  high  rotor  (Eh)  excitation  orders;  all  of  these 
frequency  components  appear  simultaneously.  At  20Ep,  24Ep,  and  AOEp  the 
radial  and  tangential  acceleration  levels  are  760g,  while  the  axial  accelera¬ 
tion  is  only  half  that  level.  In  the  Low-frequency  range,  displacement  level 
is  the  more  significant  indicator. 

Figure  6b  illu.,trates  schematically  the  vibration  definition  witn  respect  to 
the  control  mounting  syste'".  The  schematic  shows  that  the  vibration  defineo 
for  the  engine  in  this  study  can  be  altered  by  the  case  structure,  bracket 
structure,  vibration  isolators,  and  control  packaging  techniques. 

The  electronic  control  receives  vibration  excitation  from  all  contacts  with 
the  engine.  Including  fuel  and  pneumatic  plumbing  and  electrical  cables,  as 
well  as  the  electronic  control  nountiig  brackets.  The  vibration  received  from 
the  electrical  cables  has  been  found  to  be  sriall  because  of  the  flexible  con¬ 
struction  of  the  cable  harness.  There  have  been  significant  levels  of  vibration 


V»braiofy  Accelefalion,  -t  g 


HIGHEST  PEAKS  IN  FREQUENCY  SPECTRUM  AT  OUTER  ENGINE  i  ASE 
,000  , -  JUST  UPSTREAM  OF  DUCT  FLAMEHOLDER 


Frequency  -  Hz 


FIGURE  62  PREDICTED  VIBRATION  ENVIRONMENT  FOR  VARIABLE  CYCLE  ENGINE 


Front  Mount 


Rear  Mount 


/ 


Locating  Control 
Here  increases 
Vibration  Level 
by  20% 


Locating  Control 
in  Hot  Section 
Decreases 
Vibration  Level 
by  30%  - 

Vibration  Levels  m 
the  500  to  20,000  Hz  Range 
are  Defined  for  Electronic 
Control  Located  In  this  Position 


IGURE  63  EFFECT  ON  VIBRATION  ENVIRONMENT  OF  MOVING  CONTROL 
LOCATION  AXIALLY 


100 


Order 


IEf 

IcH 

2Ef 

2Eh 

4Ef 

IGEp 

20Ef 

24Ef 

40Ef 


Highest  Predicted  Vibration 
Level  (Maximum  Peak) 


Frequency  Range  (Hz) 

Displacement  (mils) 

Acceleration  (g) 

65  to175 

±5 

Insignificant 

150  to  225 

±3  85 

130  to  350 

±1 

300  to  450 

±0.75 

260  to  700 

Insignificant 

±20 

1040  to  2800 

±100 

1300  to  3500 

1 

1 

±760  1  1  Radial  100% 

1560  to  4200 

±760  y  /  Tangential  100% 

2600  to  7000 

±760  j  )  Axial  50% 

FIGURE  64  PREDICTED  VARIABLE  CYCLE  ENGINE  INSTANTANEOUS  VIBRATION 
SPECTRUM  AT  THE  ELECTRONIC  CONTROL  LOCATION 


Typical  Application 


Dynamic  Schematic 


Bracket- 


-Honeycomb 
Outer  Fan 
Case 

—  Isolator 


Bracket 

Stifiness 

Isolator 

Stiffness 


Control  Package 


—Vibration 
Defined  Here 

Bracket  Mass 

Control  Package 
Mass 


FIGURE  65  SCHEMATIC  REPRESENTATION  OF  CONTROL  MOUNTING  WITH 
RESPECT  TO  VIBRATION 


^  140 


Blade  Passing  Discretes 

20EFZ:i2rt2^40EF 

24Ef 


5  130 


Random  Noise  Envelope 


S  120 

a 

tn 

•o 

c 

O  no 

CO 


Overall  Sound  Pressure  Level 
OU  He  to  30,000  Hz):  158  dB 


100  1000 

Frequency  -  Hz 


10  000 


100,000 


FIGURE  66  PREDICTED  VARIABLE  CYCLE  ENGINE  ACOUSTIC  ENVIRONMENT 


102 


iffr"!:  atp'  11^1 


attributed  to  electronic  control  fuel  plumbing  connections  which  bypass  the 
control  mounting  bracket  isolation.  This  problem  can  be  significantly  re¬ 
duced  in  advanced  engines  by  proper  engine  fuel  pump  design  techniques  or 
by  plumbing  the  control  to  the  aircraft  fuel  tank.  The  levels  of  vibration 
expected  from  an  aircraft  fuel  tank  design  would  be  less  than  lOg  and  would 
occur  at  frequencies  less  than  500  H2. 

The  vibration  associated  with  aircraft  gunfire  for  the  F-15  aircraft  was  re 
viewed  and  based  on  current  fighter  aircraft  design  practices  there  is  no 
significant  gunfire  vibration  passed  thru  the  aircraft  to  the  engine  mounts 

4.3.2  Acoustic  Environment  Definition 


The  random  noise  portion  of  the  acoustic  environinent  was  derived  from  current 
engine  test  data  and  predicted  for  the  VCE,  based  on  VCE  burner  pressure  rise, 
and  fan  tip  speed  (Figure  66). 

4.3.3  Impact  Environment  Definition 

4.3.3. 1  Impact  Installed  in  Aircraft 

The  impact  shock  loading  associated  with  the  engine  electronic  control  is 
generated  by  aircraft  landing  or  engine  surge.  Current  engine  applications  of 
electronic  controls  have  shown  the  shock  load  associated  with  lanaing  or 
engine  surge  to  be  less  than  10  g's. 

4.3. 3. 2  Impact  and  Vibration  During  Transportation 

Engine  Controls  are  shipped  primarily  by  truck  and  by  air  transportation. 

Shock  forces  experienced  during  handling  are  probably  the  most  severe  that 
are  encountered  during  the  entire  logistics  cycle.  Generally  those  forces 
are  the  result  of  the  package  being  dropped.  The  amount  of  shock  experienced 
by  the  package  when  dropped  is  directly  affected  by  the  pulse  duration,  or 
the  shock  rise  time.  The  shock  rise  time  is  dependent  on  the  yielding  mass 
and  is  a  function  of  its  compressibility  and  elasticity.  Other  factors 
affecting  shock  rise  time  include  the  resiliency  of  the  impact  surface  and  the 
extent  of  the  contact  area,  which  may  be  a  flat  or  curved  surface,  an  edge,  or 
a  point. 

Shock  and  vibration  imparted  by  each  mode  of  transportation  are  described 
below: 

4. 3. 3. 2.1  Truck  Transportation  The  shocks  and  vibration  encountered  by 
transportation  of  material  over  the  highway  depend  to  some  degree  on  the  high¬ 
way  surface  and  on  the  characteristics  of  the  transporting  vehicle.  Figure 
67  shows  the  maximum  shock  in  three  planes  and  vibration  in  the  vertical  plane 


w 

u 

u 


FIGURE  67  CARGO  ENVIRONMENTS  FOR  HIGHWAY  TRANSPORT 


184 


obtained  by  the  military  for  many  types  of  road  conditions  and  vehicles. 


4. 3. 3. 2. 2  Air  Transportation  In-flight  shock  and  vibration  may  be  as  high 
as  2  to  3  6's  during  normal  operation  of  large  commercial  transport  aircraft. 
The  most  damaging  conditio, is  are  the  shocks  resulting  from  handling.  Figure 
68  shows  the  maximum  shocks  recorded  during  a  test  shipment  in  which  two 
impact  recorders  were  placed  in  a  wooden  box  having  a  total  weight  of  73 
pounds.  The  maximum  acceleration  experienced  was  9G's  due  to  handling. 

Air  transportation  data  from  field  studies  of  one  of  the  military  services 
is  summarized  in  Figure  69.  Envelopes  of  maximum  values  are  recorded  in  three 
planes  for  vibration  and  in  the  vertical  plane  for  shock.  It  ’s  anticipated 
that  data  taken  under  emergency  conditions  would  show  accelti  tions  that  are 
somewhat  higher. 


4.4  Electrical  Environment  Definition 


4.4.1  Summary 

The  lightning/EMI  environment  of  a  full  authority  electronic  engine  controller 
must  be  understood  in  order  that  adequate  protective  features  can  be  provided 
in  the  controller  design  to  prevent  any  harmful  effects  on  the  controller  cir¬ 
cuitry.  This  report  describes  the  nature  and  magnitude  of  the  assumed  light¬ 
ning/EMI  environment. 

4.4.2  General 

The  engine  control  when  mounted  on  the  VCE  engine  inside  the  engine  nacelle  is 
subjected  to  controlled  amounts  of  high-frequency  electromagnetic  interference 
(EMI)  energy  from  radar,  communication,  and  navigation  transmitters  and  to 
lower-frequency  interference  energy  from  lightning  strokes. 

Lightning  is  potentially  capable  of  serious  effects  on  both  engines  and  con¬ 
trols.  Protective  features  must  prevent  the  effects  of  direct  lightning  strikes 
including  the  blasting,  burning,  direct  coupling  of  voltage  and  currents,  and 
structural  deformation  caused  by  direct  lightning  arc  attachment  as  well  as 
the  high  pressure  shock  waves  and  magnetic  forces  produced  by  the  associated 
high  currents.  Indirect  effects  of  lightning  to  protect  against  are  the  damage 
and  malfunctions  due  to  the  large  voltages  and  currents  induced  in  the  cables, 
wires,  and  circuits  by  the  electromagnetic  fields  associated  with  lightning. 

The  electric  field  environment  follows  with  the  lightning  environment  first  and 
then  the  environment  due  to  electromagnetic  interference  from  ground  and  air¬ 
borne  transmitters.  In  describing  the  lightning  environmient,  information  was 
compiled  from  References  23  through  35. 


185 


FIGURE  68  MAXIMUM  SHOCKS  RECORDED  DURING  AIRLINE  TEST  SHIPMENT 


186 


ATION- 


0  200  400  600  600  1000  1200 

FREQUENCY 

-  VIS/fATtOM,  VCMTlCAL-LATeHAL-LONBITUOINAL  - 


0  .020  .040  .060  OBO  .100  J20 


TIME  IN  SECONDS 
~S  MO  C  H 


FIGURE  69  CARGO  ENVIRONMENTS  FOR  AIR  TRANSPORT 


1B7 


4.4.3  Lightning  Environment 
4.4.3. 1  Lightning  Strike  Statistics 

The  Lightning  and  Transients  Research  Institute  lightning-strike  records  in¬ 
dicate  an  average  of  about  one  lightning  discharge  for  2500  hours  of  flight 
time  per  commercial  aircraft  on  domestic  routes.  This  figure  drops  to  a  much 
lower  value  of  about  one  strike  per  10,000  hours  for  long-range  flights  in 
which  the  aircraft  spends  a  much  greater  percentage  of  its  time  at  altitude. 
These  records  also  indicate  that  strikes  to  the  engine  nacelles  are  very  in¬ 
frequent,  of  the  order  of  a  few  percent. 

USAF  experience  for  the  years  1965  to  1969  indicates  an  average  of  99,200 
mean  hours  between  lightning  strikes  for  fighter  aircraft.  However,  the 
strike  experience  in  Europe  is  10  times  more  frequent  than  in  the  U.S.  and 
in  most  other  parts  of  the  world.  RF-4C  aircraft  flying  in  Europe  report 
10.5  strikes  per  100,000  hours,  which  rate  is  about  5  times  greater  than  the 
world-wide  exposure  rate  for  these  aircraft.  For  three  different  models  of 
the  F-4,  a  maximum  of  8%  of  the  strikes  were  to  the  fuselage.  The  higher 
lightning-strike  exposure  seems  to  result  both  from  the  level  of  lightning 
activity  in  Europe  and  from  the  political  constraints  placed  on  flight  paths 
in  this  multinational  region. 

The  various  factors  described  which  influence  lightning-strike  frequency  in¬ 
dicate  the  care  with  which  lightning-strike  statistics  must  be  approached. 

The  following  factors  have  been  shown  to  be  important,  and  their  contributions 
must  be  assessed: 

a)  Significant  differences  in  reporting  requirements. 

b)  Commercial  or  military  aircraft. 

c)  Flight  plans,  including  requirements  to  fly  in  all  weathers. 

d)  Flight  paths,  including  opportunities  for  thunderstorm  avoidance. 

e)  Altitude. 

f)  Weather  conditions,  including  temperature,  precipitation,  and 
turbulence . 

g)  Aircraft  size  and  shape. 

h)  Piston  or  jet  engines. 

One  important  factor,  which  is  not  reflected  in  the  current  damage  statistics 
is  that  aircraft  are  probably  often  struck  with  low  current  discharges  which 
are  not  reported.  A  typical  upper  region  intra-cloud  discharge  may  be  fairly 
low  in  current  magnitude,  of  the  order  of  a  few  thousand  amperes,  with  low 
current  rates  of  rise.  This  strike  results  in  almost  no  noise  and  very  little 
indication  to  the  pilot,  particularly  with  a  strike  to  the  aft  portion  of  the 
aircraft.  With  all  metal  skins,  the  low  amplitude  discharges  produce  very 
minor  pitting  and  the  aircraft  would  have  to  be  carefully  examined  over  its 
entire  outer  surface  after  every  flight  to  detect  that  a  strike  had  occurred. 


180 


4. 4. 3. 2  Lightning  Strike  Characteristics 

It  is  useful  to  review  briefly  the  basic  mechanisms  of  stroke  contact  to  an 
aircraft  as  illustrated  in  Figure  70.  Natural  lightning  discharges  initiate 
from  a  charged  region  in  a  cloud  in  the  form  of  a  "step  leader"  which  advan¬ 
ces  in  approximately  50  meter  steps  toward  another  charge  region  or  toward 
the  earth.  In  some  cases,  the  aircraft  triggers  a  lightning  discharge  which 
would  not  have  occurred  otherwise,  and  in  some  cases,  it  merely  diverts  the 
discharge  slightly  out  of  its  normal  path  so  that  the  stroke  passes  through 
the  aircraft.  As  a  step  leader  approaches  an  aircraft,  the  intense  voltage 
existing  between  tlie  tip  of  the  step  leader  and  the  aircraft  induces  streamers, 
intense  ionization,  from  all  the  external  aircraft  surfaces  and  particularly 
the  extremeties.  This  is  illustrated  in  Figure  71  showing  streamering  from  a 
model  aircraft  subject  to  intense  cross  fields  in  the  laboratory.  The  step 
leader  contacts  one  of  the  vehicle  extremeties  through  the  streamer,  and  the 
vehicle  potential  is  immediately  raised  to  the  extreme  potential  of  the  light¬ 
ning  discharge.  Then  additional  streamering  takes  place  from  the  opposite 
extremeties  of  the  vehicle  to  form  the  step  leader  for  the  convinuation  of  the 
stroke  paths  to  other  charged  regions  or  to  the  earth.  Data  indicate  that  jet- 
engine  exhaust  is  only  slightly  more  ionized  than  the  ambient  air  and  much 
less  so  than  rocket  exhaust  with  the  result  that  jet  exhaust  has  insufficient 
conductivity  to  initiate  or  attract  a  lightning  leader. 

When  the  step  leader  contacts  the  earth  or  another  charged  region,  the  exist¬ 
ence  of  an  ionized  conducting  path  between  the  earth  and  the  charged  region 
(or  the  two  oppositely  charged  regions)  results  in  a  large  surge  current,  a 
kind  of  huge  short  circuit,  in  the  form  of  an  ionization  wave  which  travels 
back  up  the  step  leader  path  to  the  initiating  charge  region  in  the  cloud. 

This  high  current  ionizing  wave  is  referred  to  as  the  "return  stroke".  This 
phase  is  followed  by  an  intermediate  current,  a  long  duratio.  current  of  about 
100  amps  and  sometimes  one  or  more  restrikes.  (Note  that  in  any  case  of  signi¬ 
ficant  damage  to  an  aircraft,  the  discharge  passed  through  the  vehicle  and 
did  not  initiate  from  it  or  terminate  on  it  as  is  often  indicated  in  strike 
reports).  The  different  phases  of  the  discharge  are  also  illustrated  in 
Figure  71  showing  a  triggered  natural  lighting  discharge  to  the  LTRI  research 
vessel.  Thunderbolt,  triggered  by  firing  a  small  rocket  carrying  a  fine  wire 
to  an  altitude  of  3C0  to  1000  feet.  The  associated  current  waveform  is  shown 
in  the  osci 1 logram. 

Lightning  strokes  thus  genei'ally  consist  of  (a)  an  initial  high  current  strike, 
(b)  an  intermediate  current  component,  (c)  a  low  current  continuing  component, 
and  (d)  multiple  re-strikes  with  as  many  as  30  discharges  in  a  single-stroke 
lasting  for  as  long  as  three-quarters  of  a  second.  The  time  between  re-strike 
is  usually  about  15  to  30  msec. 


189 


.  . . .  Mil  i,i  ilUli  .iiii: 


HIGH  CURRENT 
RETURN  STROKE 

CONTINUING  CURRENT 

RESTRIKES 


PHOTOGRAPH  OF 
TRIGGERED  NATURAL 
LIGHTNING  DISCHARGE 


HIGH  CURRENT 
RETURN  STROKE 

CONTINUING  CURRENT 
RESTRIKES 


OSCILLOGRAM  OF 
TRIGGERED  NATURAL 
LIGHTNING  DISCHARGE 


AIRCRAFT  PRIOR  TO  STRIKE 


Because  of  motion  of  the  aircraft  past  the  relatively  stationary  lightning 
channel,  the  stroke  may  sweep  backwards  over  the  aircraft,  permitting  contact 
at  nearly  any  point  behind  a  major  forward  strike  point,  such  as  the  nose. 

This  means  that  initial  attachment  or  hang-on  of  the  flash  may  be  expected 
at  any  section  of  an  engine  from  the  intake  inlet,  over  the  outside  housing, 
to  the  exhaust  nozzle  at  the  rear.  FAA  advisory  circular  AC  20-53  defines 
the  fuselage  tail  cone  as  being  in  zone  1,  which  includes  points  of  direct 
stroke  attachment.  The  task  F  subcommittee  of  the  SAE  Committee  AE-4  on 
Electromagnetic  Compatibility  has  defined  the  fuselage  tail  cone  as  being  in 
zone  IB,  which  includes  initial  attachment  points  with  high  probabilities  of 
flash  hang-on.  Assuming  that  the  subject  aircraft  of  this  study  has  its  engine 
exhaust  nozzles  projecting  beyond  the  tail  empennage,  these  nozzles  will  be 
within  zones  1  or  IB. 

4. 4. 3. 3  Lightning  Related  Assumptions 

Definition  of  the  lightning/EMI  solution  is  heavily  dependent  on  the  detailed 
form,  configuration  and  materials  content  of  the  engine/nacelle  design.  In 
the  absence  of  sucli  detail  for  the  VCE  engine  and  installation,  a  few  broad 
assumptions  will  be  made  in  the  event  that  they  may  be  useful  in  a  preliminary 
design . 

4.4. 3.3.1  Preferred  Structural  Path  It  is  assumed  that  the  airframe  has  been 
designed  with  lightning  strikes  in  mind  and  that  a  preferred,  continuous, 
metallic  path  is  provided  from  the  preferred  point  of  lightning  entry  to  the 
preferred  exit  point.  The  metallic  path  is  assumed  capable  of  conducting  the 
peak  and  continuing  currents  of  the  lightning  strike  without  damage  and  with¬ 
out  jeopardizing  the  vehicle  or  crew  safety.  The  metallic  path  consists  of 
both  internal  structure  and  metal  skin.  The  increasing  use  of  boron-and 
graphite-reinforced  composites  to  fabricate  body  panels  is  anticipated,  par¬ 
ticularly  in  the  tail  area  and  to  a  lesser  extent  in  the  forwaro  fuselage. 
Because  of  heat  problems  and  the  intricate  shape  of  body  panels  covering  the 
engine,  it  is  assumed  that  metal  skin  will  continue  to  be  used  in  the  engine 
area.  The  preferred  metallic  path,  including  mated  surfaces  and  bonds,  is 
assumed  to  comply  with  the  Class  L  requirements  of  MIL-B-5087B.  The  impedance 
between  preferred-path  extremities  is  assumed  low  enough  so  that  a  test  current 
of  200kA  peak,  20us  wide  at  50%  amplitude,  and  a  risetime  of  100kA//is  will 
cause  a  voltage  drop  in  the  path  of  500V  maximum.  This  impedance  is  also 
assumed  to  be  retained  for  the  life  of  the  aircraft. 

Boron-and  graphite-reinforced  plastics  consist  of  filaments  of  these  materials 
imbedded  in  a  resin  matrix.  Because  of  the  metal  filaments,  composites  have 
some  shielding  effectiveness,  but  it  is  very  low,  and  much  less  than  an  alumi¬ 
num  skin.  Resistivities  for  typical  boron  and  graphite  composites  are  2000 
and  36  times  respectively,  that  of  aluminum,  and  for  boron  composites  is  dom¬ 
inated  by  the  tungston  filament  on  which  the  boron  is  deposited.  Magnetic- 


field  attenuation  provided  by  graphite  composite  0.0375"  thick  varies  from 
16dB  at  30MH2  to  30dB  at  500MHZ.  By  comparison,  aluminum  of  the  same  thick¬ 
ness  has  over  500dB  of  absorption  loss  at  these  frequencies.  Composite  panels 
usually  requi>^e  protection  from  overheating  when  carrying  direct-strike  cur¬ 
rents,  particularly  zone  1  locations.  Such  protections  include  wire  fabrics, 
aluminum  foil,  conductive  paint,  and  flame-sprayed  aluminum,  all  of  which 
increase  the  shielding  effectiveness  of  a  composite  panel  so  protected.  Ho';- 
ever,  magnetic-field  shielding  improvement  is  modest,  being  only  8.5dB  for 
l-iTiil  aluminum  foil  and  5.2dB  for  flame-sprayed  aluminum.  Puncture-damage 
protectors  such  as  diverter  straps  and  foil  strips  do  not  significantly  in¬ 
crease  shielding  effectiveness  because  of  their  narrowness  and  wide  spacing. 
Test  data  for  electric-tield  shielding  effectiveness  of  composites  are  not 
available.  However,  data  for  the  vacuum  deposition  of  aluminum  0.030-nil 
thick  on  glass  indicate  a  plane-wave  shielding  effectiveness  of  45-60dB  from 
lOkHZ.  Other  data  for  flame-sprayed  aluminum  on  Lexan  foam  show  an  electric- 
field  shielding  effectiveness  of  65ciB  at  5KHZ  falling  to  13dB  at  50MHZ.  These 
data  prompt  some  confidence  that  aluminum  foil  bonded  to  a  composite  panel 
will  provide  significant  E-field  shielding. 

4. 4. 3. 3. 2  Cable  Shields  Cables  are  not  a  part  of  tne  subject  study.  How¬ 
ever,  it  is  assumed  that  all  cables  connecting  to  the  EEC  have  an  overall 
shield  which  is  capable  of  carrying  the  heaviest  direct  or  indirect  current 
end  is  continuous  without  breaks  of  splices  and  which  is  solidly  grounded  at 
both  ends  with  a  oond  whose  resistance  is  less  than  2.5  milliohms. 

4. 4. 3. 3. 3  Lightning  Stroke  Model  fhe  detailed  design  of  the  VCE  engine  in¬ 
stallation  in’an  advanced  tactical  fighter  is  not  available.  However,  m  tlie 
event  that  preliminary  calculations  might  be  useful,  a  typical  lightning- 
stroke  model  is  assumed.  Tne  model  is  simplified  in  that  it  contains  only 
two  strokes  whereas  a  natural  lightning  stroke  may  contain  many.  This  sim¬ 
plification  is  realistic,  however,  because  50?=  of  all  flashes  contain  more 
than  2-3  strokes,  whereas  only  10%  contain  more  than  5-6  strokes.  Moreover, 
in  magnitude  the  two  strokes  in  the  model  are  severe  by  comparison  with 
natural  strokes.  Only  4%  of  1st  return  strokes  exceeo  lOOkA,  and  only  4%  of 
suosequeiit  return  strokes  exceed  50kA. 

Of  the  two  model  strokes,  the  first  has  a  current  peak  of  100,000  amperes  and 
a  rate  of  change  of  100,090  amps  per  microsecond.  Tne  second  stroke  is  half 
the  magnitude  of  the  first.  The  model  incorporates  intermediate  currents  of 
several  thousana  amperes  persisting  tor  a  few  milliseconds,  and  a  continuing 
current,  comprised  of  two  phases,  of  700  artps  average  tor  50  milliseconds 
followed  by  a  40C  amp  section  for  300  milliseconds.  The  total  charge  transfer 
is  le^s  than  200  coulombs,  155  coulombs  of  which  passes  in  the  continuing 
current . 


The  currents  flowing  in  a  lightning  flash  to  ground  are  conveniently  sep¬ 
arated  into  three  categories; 


a.  Return  stroke  surges 


b.  Intermediate  currents 


c.  Continuing  currents 


Peak  current  on  the  order  of  up  to  100,000  A 
or  more. 

Peak  current  on  the  order  of  up  to  10,000  A 
or  more. 

Duration  on  the  order  of  milliseconds. 

Peak  current  on  the  order  of  up  to  1000  A. 

Duration  on  the  order  of  hundreds  of  milli¬ 
seconds. 


Currents  of  types  b  and  c  are  principally  responsible  for  damages  such  as  hole¬ 
burning,  while  currents  of  type  a  mainly  produce  explosive  effects  and  undesir¬ 
able  coupling  transients.  The  lightning  model  can  also  cause  intra-aircraft 
problems  even  if  it  does  not  contact  the  aircraft  directly  but  merely  passes 
nearby.  The  ionized  channel  of  the  1st  return  stroke  is  the  source  of  high- 
intensity  electromagnetic  radiation.  Within  the  channel  an  increase  in  field 
intensity  from  5kV/M  to  over  lOOkV/M  in  a  fraction  of  a  microsecond  is  typical. 
This  field  radiates  away  from  the  channel,  decreasing  in  intensity  60dB/decade 
of  distance  very  close  to  the  channel  and  20dB/  decade  at  greater  distances. 

The  field  encompasses  a  broad  frequency  spectrum  which  can  couple  to  the  air¬ 
craft  structure  and  cables  within.  The  measured  spectrum  shows  components  from 
3HZ  to  IGHZ,  and  lOGHZ  has  been  theoretice  ly  predicted.  The  various  phases  of 
the  lightning  stroke  are  responsible  for  different  frequency  ranges  as  shown 
below; 

Frequency  Range  Source 


3HZ  to  3kHZ 
3kHZ  to  20kHZ 
20kHZ  to  2MHZ 
2MHZ  to  30MHZ 
30MHZ  to  IGHZ 


Continuing  current 
Return  stroke 

Return  stroke,  streamers,  00*^003 
Streamers,  corona 
Stepped  and  dart  leaders 


In  the  natural  thundershorm  environment,  an  aircraft  is  subjected  to  almost 
continuous,  intense  electromagnetic  fields  due  to  charge  redistributions 
(lightning  strokes)  in  adjacent  areas.  These  EM  fields,  usually  caused  by 
intercloud  discharges,  are  often  referred  to  as  cross-fielo  transients.  Since 
cross-field  transients  occur  every  time  the  aircraft  is  in  the  general  area 
of  a  thunderstorm,  exposure  to  them  is  orders  of  magnitude  greater  than 


194 


exposure  to  direct  strikes.  These  EM  fields  have  almost  no  effect  on  internal 
electronic  systems  in  metal-skinned  aircraft,  but  affect  the  aircraft  inter¬ 
ior  in  varying  degrees  with  nonmetallic  skins.  The  electric  and  magnetic 
field  components  produce  entirely  different  effects  on  circuitry.  Composite 
skin  panels  can  result  in  induced  streamering  from  thunderstorm  E-fields  of 
10-100  amperes  from  terminal-board  contacts  even  though  the  skin  in  not  punc¬ 
tured,  H-fields  can  induce  large  voltages  in  loop  areas  lying  under  the 
composite  skin.  Fortunately,  the  same  types  of  protections  against  the  in¬ 
frequent  EMP  and  lightning  direct-strike  occurrences  are  also  effective 
against  the  more  frequent  cross-field  transients. 

In  general,  the  time  structure  of  lightning  currents  is  less  variable  between 
individual  strokes  than  are  the  amplitudes.  It  follows  that  severe  lightning 
models  are  best  developed  first  in  terms  of  amplitudes,  with  subsequent 
secondary  adjustments  to  the  time  structure  in  order  to  obtain  overall  physi¬ 
cal  reality.  Furthermore,  there  is  little  connection  within  an  individual 
discharge  between  the  severity  of  the  three  categories  of  current;  in  other 
words,  even  if  an  initial  return-stroke  surge  is  severe,  this  has  minimal 
influence  on  the  severity  of  a  following  continuing  current. 

The  current-time  history  for  a  model  lightning  stroke  to  ground  is  shown  dia¬ 
grammatical  ly  in  Figure  72.  The  stroke  is  a  very  severe  discharge.  The 
model  is  formulated  in  terms  of  certain  key  points  (A  through  I  in  Figure  72) 
at  which  specific  values  of  current,  i,  and  time,  t,  are  attained,  Between 
successive  key  points  the  current  is  assumed  to  change  in  a  steady  straight- 
line  fashion  with  time. 

The  model  consists  of  six  current  stages:  a  first  return  stroke  including 
both  a  main-current  surge  and  an  intermediate  current;  a  continuing  current 
in  two  phases;  and  a  second  subsequent  stroke  again  comprising  a  main  surge 
succeeded  by  an  intermediate  current.  The  continuing  current  is  modeled  in 
two  phases  because  material  damage  produced  by  continuing  currents  depends 
on  actual  time  and  current  values  and  is  not  a  function  of  charge  transfer 
alone.  It  is  possible  that  special  types  of  damage  could  be  produced  by  a 
subsequent  stroke  following  a  continuing  current;  hence  the  addition  of  the 
second  stroke. 

The  model  is  es':entially  developed  for  applied  purposes  and  it  has  consequent¬ 
ly  been  simplified  appropriately  in  both  the  analytical  and  physical  respects. 
In  physical  reality,  a  severe  discharge  would  have  far  more  strokes  and  also, 
more  phases  of  continuing  current  than  indicated  on  Figure  108,  however,  the 
integrated  effects  of  a  very  severe  natural  discharge  and  of  the  model  are 
simi 1 ar . 


195 


9NISV3bONl  XMSyWnD 


figure  72  LIGHTNING  STROKE  MODEL 


Intra-cloud  discharges  are  less  severe  than  flashes  to  ground  largely  because 
of  the  absence  of  the  large  sudden  return-stroke  surges.  Thus,  if  material 
and  equipment  are  unaffected  by  the  severe  ground-discharge  model,  material 
and  equipment  will  also  be  immune  to  intra-cloud  flashes. 

4. 4. 3. 4  Internal  Environment  of  Aircraft  Due  to  Lightning 

4. 4. 3. 4.1  External  Current  on  Aircraft  In  the  event  of  a  direct  strike,  the 
attachment  and  exit  points  will  be  a  reasonable  facsimile  of  the  lightning- 
current  model.  Some  distortions  will  occur  due  to  different  surge  impedances 
in  air  and  in  the  aircraft.  Reflections  at  the  attachment  and  exit  points 
will  result  in  an  oscillatory  component  in  the  current  and  a  general  slowing 
of  risetime  of  the  exit  current.  In  the  event  of  a  near-miss  lightning  flash, 
the  electromagnetic  fields  from  the  flash  will  excite  a  dipole  response  from 
the  aircraft  in  a  manner  quite  similar  to  EMP  from  a  nuclear  tc^.''lc's‘*on.  The 
current  will  be  a  damped  oscillation  with  period  propo:"' icnsl  to  aircraft 
length.  Because  the  peak  field  intensities  incident  the  aircraft  exter¬ 
ior  are  commensurate  for  EMP  and  a  lightning  near  miss,  the  peak  mid-fuselage 
current  for  a  near  miss  is  estimated  at  5kA.  Although  peak  current  ex¬ 
cited  by  a  near  miss  is  much  less  than  the  peak  current  for  a  direct  strike, 
its  damage  potential  is  not  necessarily  less,  because  it  is  more  oscillatory 
in  shape  and  more  of  its  energy  is  concentrated  in  the  higher  frequencies 
which  couple  more  tightly  to  interior  circuits. 

4. 4. 3. 4. 2  Field-Penetration  Mechanisms  For  portions  of  the  aircraft  sur¬ 
rounded  by  a  metal  skin,  the  skin  current  immediately  caused  a  magnetic  field 
to  surround  the  outside  of  the  aircraft.  For  a  typical  fighter  aircraft  with 
a  circumference  of  5.5m  just  forward  of  the  wing,  the  average  field  intensity 
at  the  skin  surface  for  a  current  of  lOOkA  is  18kA/m.  Field  intensity  will 
be  higher  than  the  average  in  areas  with  small  radii  of  curvature  and  lower 
than  average  for  large  radii.  This  H-field  will  in  time  diffuse  to  the  air¬ 
craft  interior.  This  diffusion  is  not  instantaneous  due  to  delays  imposed 
by  skin  effect,  eddy  currents,  and  the  counter  H-fields  generated  by  the 
eddy  currents.  As  an  example,  a  step-function  H-field  appearing  at  the  out¬ 
side  surface  of  an  aluminum  skin  0.040"  thick  requires  12us  to  reach  90%  of 
its  final  value  at  the  inside  surface.  This  retardation  has  significance  for 
coupling  mechanisms  to  interior  conductors  which  are  functions  of  risetime. 

The  final  interior  H-field  for  a  skin  of  circular  cross  section  is  very  small 
becduse  of  field  cancellations  due  to  symmetry.  Diffusion  through  skin  of 
elliptical  cross  section  is  more  complicated.  Buildup  time  may  be  much  longer, 
and  final  interior  H-fields  will  be  much  higher,  particularly  for  ellipses  of 
high  eccentricity. 


197 


H-fields  can  couple  instantaneously  to  the  interior  through  aperatures,  suci, 
as  canopies  or  composite  panels.  Risetime  is  not  retarded  as  by  diffusion, 
and  a  fast  risetime  will  induce  a  higher  voltage  in  a  loop  of  given  area  than 
a  slow  risetime.  Field  strength  decreases  as  the  cube  of  the  distance  from 
aperture  to  the  internal  point  of  interest.  As  an  example,  for  a  IM  x  2M 
elliptical  fuselage  with  a  O.IM  x  0.2M  elliptical  aperture  at  its  midline,  1000 
amperes  of  fuselage  current  causes  a  field  intensity  of  80A/M  at  the  aperture 
but  only  0.1  A/M  at  0.6M  from  the  aperture.  This  suggests  that  H-field  inten¬ 
sities  are  most  troublesome  in  the  immediate  vicinity  of  the  aperture,  and 
that  coupling  to  interior  conductors  can  be  minimized  by  locating  conductors 
away  from  the  apertu)'e.  For  an  engine  controller,  important  apertures  are 
the  engine  air  scoops. 

Electric  fields  propagate  outwards  from  the  ionized  channel  of  a  near  miss, 
and  may  have  any  polarized  relative  to  the  aircraft.  Penetration  to  the  air¬ 
craft  interior  is  principally  through  apertures,  since  the  combined  absorption 
and  reflection  losses  for  even  a  thin  metal  skin  are  quite  high.  The  low 
shielding  effectiveness  of  composite  panels  has  been  described,  and  such 
panels  will  behave  as  apertures  to  admit  E-fields  to  the  aircraft  interior. 
Assuming  an  aperture  with  zero  shielding  effectiveness,  the  interior  field 
intensity  may  reach  kilovolts/meter  for  close  flashes.  Assuming  a  composite 
panel  protected  with  aluminum  foil  or  its  equivalent,  the  interior  field  in¬ 
tensity  will  be  reduced  20-60dB  depending  on  frequency. 

When  directly  struck,  the  outer  surface  of  the  aircraft  assumes  the  electric 
potential  of  tlie  flash,  resulting  in  a  maximum  E-field  intensity  of  approx¬ 
imately  lOOkV/M.  This  E-field  is  normal  to  the  surface  and  will  penetrate 
through  apertures. 

4. 4. 3. A. 3  Voltage-Drop  Mechanisms  When  the  lightning-model  current  flows  in 
an  airframe  path  between  attachment  and  exit  points  it  causes  a  voltage  drop 
which  can  couple  capacitively  to  interior  circuits.  Assuming  that  the  air¬ 
craft  complies  with  the  bonding  requirements  of  MIL-B-5087B,  this  voltage  drop 
is  limited  to  500V  maximum  between  aircraft  extremities,  which  forms  an  upper 
bound  on  the  voltage  which  can  be  capacitively  coupled.  As  a  worst  case,  some 
or  all  of  this  voltage  drop  can  be  directly  converted  into  a  signal-mode  vol¬ 
tage  if  a  circuit  uses  the  airframe  as  a  signal  return.  This  is  a  bad  practice 
to  be  avoided  in  engine  controllers. 

4.4,4  Electromagnetic  Interference  (EMI)  Environment 

A  severe  EMI  environment  from  ground  and  airborne  transmitters  across  a  wide 
frequency  spectrum  has  been  assumed.  As  previously  described,  the  harniful 
effects  of  EMI  can  be  positively  prevented  from  affecting  the  performance  of 
the  engine  control  with  the  application  of  suitable  protective  material  and 


198 


< 

I 

I 

< 

<• 

i 


protective  devices.  In  the  future,  the  use  of  new  communication  technology 
such  as  fiber  optics  may  influence  the  degree  of  such  protection  required. 

The  degree  of  which  EMI  energy  will  penetrate  the  engine  nacelles  in  the 
advanced  tactical  fighter  is  dependent  on  the  detailed  nacelle  design  config¬ 
uration  and  materials  (not  available  at  this  time).  Aluminum  nacelle  skin 
affords  more  protection  than  composite  nacelle  skin.  Composite  skin  is 
assumed  for  this  study. 

Figure  73  shows  the  peak  values  of  the  more  powerful  transmitters  of  EMI 
energy  to  which  a  tactical  fighter  is  likely  to  be  exposed.  A  navigation  aid 
is  assumed  at  300  to  500  KH2,  high  frequency  communications  at  2  to  30  MHz 
and  radars  at  200  to  450  MHz  and  1  to  40  GHz.  In  the  absence  of  a  detailed 
nacelle  configuration,  an  assumption  of  the  degree  of  attenuation  that  might 
be  afforded  by  a  graphite/epoxy  nacelle  skin  has  been  used  to  reduce  the 
expernal  field,  to  the  levels  shown  internal  to  the  nacelle. 

The  resulting  internal  field  will  be  further  attenuated  by  the  protective 
design  of  the  engine  control  to  levels  that  have  no  effect  on  control  perform 
ance  nor  reliability. 


4.5  Conclusions 

The  information  necessary  to  define  the  environment  for  an  electronic  control 
on  a  variable  cycle  engine  has  been  provided.  From  this  information  the  fol¬ 
lowing  conclusions  have  been  drawn: 

a.  Fuel  system  point  A  (tank  fuel)  exhibits  significantly  lower 
fuel  temperature  levels  than  other  fuel  system  points  studied 
for  electronic  control  cooling.  In  addition,  since  point  A 
fuel  temperature  is  not  affected  by  engine  power  settings,  rapid 
fuel  temperature  transients  are  a\oided  except  during  air 
refuel ing . 

b.  The  vibration  levels  predicted  for  the  VCE  are  significantly 
higher  than  for  current  engines  in  the  frequency  range  from 
500  to  20,000  Hz  because  of  higher  levels  of  fan  pressure  and 
tip  speeds.  These  higher  levels  of  vibration  will  require 
additional  effort  in  mounting  and  packaging  the  elect w.ic 
control  to  meet  the  high  reliability  ''equired  in  this  [..'oqram. 

c.  The  EMI/lightning  electrical  environment  employed  in  this 
study  is  consistent  with  the  latest  information  employed  in  the 
Space  Shuttle  Program  and  in  the  most  advanced  tactical  fighter 
appl ication . 


! 


1 


lilii .  I  LLi!:'"liiily‘lii:: .  ..  ? . . .  . . tiUji  >,1. J...  jJL „  jiL: b,li i.ili  itnu llililUliniii Hlaiil 


200 


. . 


SECTION  V  COMPONENT  BASELINES  FOR  RELIABILITY  AND  COST  OF  OWNERSHIP  STUDIES 


5.1  Baseline  System  Description,  Functional 

To  properly  evaluate,  compare  and  measure  the  progress  of  the  reliability  analy¬ 
ses  presented  In  this  report,  a  brief  description  of  the  baseline  configuration 
and  Its  attendant  features  are  set  forth.  (This  Is  a  summary  of  pertinent  design 
Information  from  Section  III.) 

A  simplified  block  diagram  of  the  baseline  system  configuration  is  shown  in 
Figure  74.  The  system  is  composed  of  two  channels  which  are  designated  the 
primary  channel  and  the  secondary  channel.  Each  channel  has  its  own  set  of  in¬ 
put  sensors  and  signals,  a  CPU,  and  a  set  of  output  function  controls.  The 
basic  mode  of  operation  for  the  controller  is  to  establish  function  control  by 
using  the  primary  channel.  If  there  is  a  detectable  fault  in  the  primary 
channel,  the  fault  sense  and  switch  device  switches  control  of  the  output 
function(s)  to  the  secondary  channel.  Memory-to-memory  communication  between 
the  channels  is  provided  by  a  UART  data  link  and  is  necessary  to  effect 
channel  switchover. 

In  the  two  channel  baseline  system,  all  Input  sensors  and  signals  are  redundant 
with  the  exception  of  the  six  pressure  sensors  and  two  temperature  sensors. 

The  primary  channel  receives  pressure  sensor  AP13,  Pt2  and  Pt3  data  and  the 
secondary  channel  receives  pressure  sensor  PT5,  PT13  and  (:iP3  data.  The  second¬ 
ary  channel  pressure  data  Is  forwarded  from  the  secondary .CPU  by  the  UART.  The 
reverse  situation  exists  concerning  the  forwarding  of  the  primary  channel  pres¬ 
sure  sensor  data  to  the  secondary  channel  If  it  Is  In  control.  The  two  tempera¬ 
tures  which  are  not  redundant  are  Turbine  Blade  Temperature  (TBT)  peak  value  and 
average  value.  These  values  are  also  forwarded  by  the  UART  to  the  appropriate 
control  channel . 

The  primary  channel  CPU  has  slightly  more  capability  than  the  secondary  channel 
CPU  to  provide  for  the  augmentation  function.  The  secondary  channel  In  the 
baseline  system  does  not  have  the  augmentation  function.  This  difference  trans¬ 
lates  Into  the  primary  channel  having  slightly  more  ROM  and  RAM  than  the  second¬ 
ary.  However,  aside  from  this  difference,  the  processor  configuration  and 
architecture  1n  both  channels  is  identical. 

All  output  functions  are  redundant  between  channels  with  the  exception  of  the 
augmentation  function  described  above  and  a  fault  control.  The  fault  control 
exception  1s  caused  by  the  un1-d1rect1onal  switching  of  control  from  the  primary 
channel  to  the  secondary  channel . 


ALTER  - 
NATOR 


E-7C5 


FIGURE  74  QUASI-REDUNDANT  DUAL  CHANNEL  BASELINE  SYSTEM 


202 


5.2  Baseline  System  Description,  Mechanical 

The  printed  circuit  board  assemblies  are  grouped  by  function  to  optimize  the 
circuit  design  and  to  minimize  the  electrical  interconnections  between  PCB 
assemblies.  The  functional  partitioning  of  the  printed  circuit  board  assemblies 
is  as  follows: 

a.  Processor  and  Memory  Board 

b.  Power  Supply  Board 

c.  Sensor  Board 

d.  Input/Output  Interface  Board 

Each  printed  circuit  board  is  provided  with  an  integrally  bonded,  chemically 
etched,  aluminum  heat  sink  plate.  The  heat  sink  provides  both  a  thermal  con¬ 
ductive  path  for  the  power  dissipated  by  the  components  and  a  supportive  struc¬ 
ture  whereby  the  combined  panel  natural  frequency  can  be  tuned  to  desired  ranges 
for  favorable  vibration  attenuation. 

The  electronic  components  are  flow  soldered  to  6-8  layer  epoxy  laminate  printed 
circuit  boards.  The  components  are  placed  on  the  heat  sink  side  of  the  panels 
and  the  component  leads  are  fed  through  the  heat  sink  and  soldered  to  the  printed 
circuit  boards.  The  components  are  bonded  to  the  heat  sink  plate  with  epoxy 
or  RTV  adhesives  as  appropriate  to  enhance  both  the  structural  retention  and  the 
thermal  sinking  of  the  components.  The  components  and  panel  assemblies  are 
conformally  coated  to  provide  moisture  protection  for  the  electronics. 

The  assemblies  are  positioned  in  the  control  housing  such  that  the  high  power 
dissipating  components  are  placed  closest  to  the  cooling  sink  and  the  circuits 
with  the  highest  quantity  of  components  are  packaged  on  the  larger  circuit 
boards.  Access  to  the  PCB  assemblies  requires  removal  of  the  cover  panels, 
disassembly  of  the  appropriate  internal  MIL-C-55302  qualified  connector  mates  and 
removal  of  the  retention  fasteners.  In  the  case  of  the  sensor  board,  it  is 
also  necessary  to  remove  the  pressure  sensor  as  well.  The  PCB  panels  are 
secured  to  the  chassis  at  the  brazed  standoffs  and  are  free  from  the  exterior 
walls.  The  standoffs  conduct  internally  dUsipated  power  to  the  center  deck 
and  to  the  stainless  steel  tube  heat  exchanger.  The  standoffs  are  provisioned 
with  self-locking  threaded  Inserts  for  positive  retention  of  the  PCB  panels. 

The  circuit  boards  are  provisioned  with  test  point  pins  and  connectors  in  ad¬ 
dition  to  the  interconnect  wiring  to  facilitate  production  acceptance  testing, 
troubleshooting  and  fault  isolation  of  Individual  board  assemblies  and  the 
entire  module  as  well . 


203 


The  first  line  of  interconnection,  exclusive  of  those  internal  to  the  components 
themselves,  is  the  printed  circuit  boards,  which  constitute  the  physical  mount¬ 
ing  platform  for  the  components  and  Interconnections  via  etched  copper  circuitry. 

The  PCB's  are  interconnected  with  flex  tapes  which  terminate  in  solder  connec¬ 
tions  at  one  end  and  separable  printed  circuit  connectors  at  the  other  end. 

This  makes  each  PCB  an  independent  module.  The  pressure  transducer  is  connected 
by  hard  wiring  and  soldered  to  terminals  at  the  PCB  end. 

The  two  MlL-C-38999  I/O  connectors  are  equipped  with  printed  circuit  intercon¬ 
nect  boards  which  group  and  reduce  the  number  of  signals  that  connect  to  the 
PCB  modules.  Interconnection  between  the  I/O  connectors  and  the  PCB's  is 
accomplished  with  molded  flexible  cables  having  surface-soldered  terminations 
with  molded  epoxy  strain  relief  at  the  interconnect  board  and  a  separable  MIL- 
C-55302  printed  circuit  connector  at  the  PCB  end.  All  wiring  and  flexible 
cabling  is  provided  with  appropriate  strain  relief  for  support  both  during  handl¬ 
ing  and  in  service.  The  MIL-C-38999  I/O  connectors  provide  excellent  protection 
against  water,  dust  and  vibration.  Electrically  conductive  materials  or  sur¬ 
face  treatments  are  used  at  all  points  of  mechanical  Interface  between  the  cover- 
plates,  housing,  connectors  and  transducer  to  provide  complete  continuity  of  the 
outer  shell  for  electromagnetic  compatibility  and  proper  bonding  at  the  ground 
strap  lug. 

The  electrical  I/O  module  consists  of  internal  electrical  harnesses  which  con¬ 
duct.  the  electrical  signals  from  the  engine/aircraft  cables  to  the  proper  cir¬ 
cuit  board  inside  the  unit.  The  harnesses  are  fabricated  as  a  unit  and  pre¬ 
assembled  into  the  chassis  before  the  PCB  panels  are  assembled.  One  important 
feature  of  the  I/O  circular  connector  selected  for  this  application  is  the  in¬ 
tegral  feedthrough  EMI  filters  which  form  a  part  of  the  connector  contact  pins. 
Incorporation  of  the  EMI  filtering  into  the  circular  connector  eliminates  the 
need  for  intermediate  compartments  to  house  discrete  filters.  The  effects  of 
the  discrete  EMI  filter  approach  would  be  to  add  volume,  weight  and  increased 
complexity  to  the  brazed  aluminum  chassis  housing. 

The  pressure  transducers  are  hard  mounted  to  the  chassis  housing  with  the 
sensor  pneumatic  interface  engaged  into  the  pressure  port.  The  sensors  are 
thermally  heat  sunk  to  an  extension  of  the  stainless  steel  tube  heat  exchanger. 
The  operating  frequency  range  of  the  vibrating  cylinder  (greater  than  5000  Hz) 
is  much  higher  than  the  environmental  vibratory  range.,.  The  fragility  levels  of 
the  transducer  occur  at  frequencies  greater  than  3000  Hz  and  ^it  chassis  atten¬ 
uated  input  amplitudes  which  greatly  exceed  anticipated  levels  by  engine  oper¬ 
ation  or  qualification  levels.  The  sensor  has  successfully  qualified  to  MIL- 
STD-810  environmental  requirements  including  shock,  vibration,  humidity,  hcjjt 
and  cold  temperature,  salt,  sand  and  dust,  and  fungus. 


204 


The  baseline  system  embodies  a  thin  wall,  dipped  brazed  AMS4027  sheet  metal 
chassis  for  high  strength-to-weight  relationship.  The  chassis  is  provisioned 
with  a  stainless  steel  heat  exchanger  to  circulate  tank  supplied  fuel  for  com¬ 
ponent  cooling.  The  stainless  steel  tubing  affords  the  fire  resistance  necessary 
to  meet  the  fire  safety  hazard  requirements.  The  piping  is  bonded  to  the  chassis 
center  deck  to  maintain  close  thermal  contact  between  the  chassis  and  the  cool¬ 
ing  medium. 

The  chassis  design  Incorporates  mounting  standoffs  to  support  the  printed  cir¬ 
cuit  board  modules.  These  integrally  brazed  standoffs  also  afford  a  direct 
thermal  path  to  the  chassis  from  the  PCB  heat  sink  panels.  All  Internal  surfaces 
of  the  chassis  have  been  coated  with  electrically  conductive  Alodine  for  both 
corrosion  protection  and  electrical  bonding.  These  surfaces  provide  EMI  bonding 
at  all  external  closure  surfaces  and  grounding  at  all  Interfaces  as  appropriate. 

The  sheet  metal  covers  are  provisioned  with  elastomeric  sealing  gaskets  to  pro¬ 
vide  environmental  protection.  The  thickness  of  the  cover  panel  is  such  that 
acoustic  noise  is  sufficiently  attenuated  so  that  PCB  panel  response  levels  are 
inconsequential . 


5.3  Part  Quality  Levels 

Part  selection  for  engine  and  airframe  mounted  electronics  must  be  made  care¬ 
fully  with  regard  to  types,  supplier  and  procurement  screening  levels.  All 
devices  must  usually  meet  the  military  temperature  range  requirements.  All 
microcircuits  and  semi-conductors  must  be  secured  with  hermetically  sealed 
packages.  Procurement  of  all  devices  must  be  controlled  by  drawings,  specifica¬ 
tions  and  Approved  Vendor  Lists  (AVL)with  100%  screening  and  appropriate  hi-rel 
environmental  screening.  The  part  quality  levels  selected  for  the  baseline  are: 

Semiconductors  -  JTX  or  Screened  Equivalent 

Integrated  Circuits  -  MIL-STD-883,  Class  B 

Passive  Components  -  ER,  Level  S 


205 


SECTION  VI  RELIABILITY  TECHNOLOGY  TRANSFER 

Hamnton  Standard  Division  has  developed  and  maintained  effective  liaison  with 
several  organizations  which  have  demonstrated  competence  1n  the  development 
of  high  reliability  electronic  systems  and  technology.  The  purpose  of  this 
contact  was  to  obtain  maxiraum  benefit  from  the  experience  of  others  In  order 
to  assist  Hamilton  Standard  In  the  attainment  of  the  high  MTBF  goal  established 
for  the  RAEEC  program. 

Reliability  technology  transfer  discussions  were  held  with: 

Bell  Telephone  Laboratories 
Rome  Air  Development  Center 

Delco  Electronics  Division,  General  Motors  Corporation 
U.S.  Arruy  Materiel  Systems  Analysis  Activity 

Avionics  Laboratory  /  Air  Force  Wright  Aeronautical  Laboratories 

U.S.  Army  Electronics  Command 

A  sample  documentation  of  one  such  relationship  Is  presented  In  Appendix  C. 


SECTION  VII  reliability  IMPROVEMENT  MEASURES 


7.1  General 

In  order  to  meet  the  goal  of  a  25,000  hour  MTBF  for  an  advanced  electronic 
engine  control,  it  is  necessary  to  provide  for  reliability  improvement  in  many 
key  areas  of  design  and  production.  For  the  RAEEC  program  the  key  areas  targeted 
for  an  extensive  reliability  improvement  effort  were: 

•  Thermal  Environment 

•  Redundancy 

•  Vibration  Environment 

•  Interconnection  Technology 

•  Component  Technology 

•  Advanced  Component  Derating 

•  Component  Screens 

•  Assembly  Tests  and  Screens 

The  advanced  FADEC  design  study  provided  the  baseline  system  for  the  RAEEC 
program.  Failure  rates  for  the  FADEC  components  were  based  on  actual  FIDO 
EEC  demonstrated  reliability  point  esiimates  modified  as  follows: 


•  Where  there  have  been  no  failures,  50it  one-sided  confidence  level  on 
zero  failures  was  used. 

•  The  EEC  components  were  assumed  to  be  115°C. 

•  Failure  rate  adjustment  due  to  complexity  change  was  accomplished  using 
MIL-H0BK-217B. 

•  All  CMOS  was  assumed  to  be  2X  failure  rate  of  TTL  based  upon  experience. 

The  failure  rates  for  diode  arrays,  diode  bridges,  resistor  networks,  crystals 
and  transforme 's  were  based  on  handbook  or  vendor  data.  The  component  failure 
rates  were  then  summed  to  produce  equipment  failure  rates.  The  equipment  fail¬ 
ure  rates  are  then  combined  according  to  the  arrangement  determined  by  the  fault 
flag  policy.  For  the  RAEEC  baseline  this  resulted  in  an  MTBF  of  1321  hours. 

7.2  Thermal  Environment 

One  of  the  areas  which  can  lead  to  increased  reliability  is  an  Improvement  in 
thermal  environment.  It  is  an  accepted  idea  that  lower  component  operating 
temperatures  leads  to  reduced  failure  rates.  In  Appendix  D»  the  failure  rate 


?07 


relationship  with  respect  to  operating  temperature  was  explored.  Through 
careful  thermal  design  the  operating  temperature  of  the  RAEEC  was  reduced  from 
the  n5°C  assumed  for  the  baseline  to  71^0.  Using  the  failure  rate/temperature 
graph  in  Appendix  D  .leads  to  a  2.6  factor  of  improvement  in  MTBF  over  the  base¬ 
line  control.  Therefore  the  RAEEC  system  now  exhibits  an  MTBF  of  3432  hours. 

7.3  Redundancy 

As  detailed  in  Section  III,  the  prime  objective  of  the  RAEEC  system  is  to  maximize 
both  Mission  Reliability  and  System  Availability.  The  major  point  highlighted 
in  the  section'was  the  conflict  which  arises  from  attempting  tc  maximize  both 
reliability  and  availability.  High  levels  of  Mission  Reliability  requires  several 
levels  of  redundancy  while  high  availability  is  achieved  through  simplicity. 

This  conflict  was  resolved  through  the  application  of  Redundancy  Management 
Techniques  and  Fault  Tolerant  Concepts. 

In  Section  III,  it  was  stated  that  the  baseline  MTBF  was  3039  hours.  This  num¬ 
ber  was  based  on  the  tentative  budgeted  improvement  factor  of  2.3  for  the  im¬ 
proved  thermal  environment  times  the  original  MTBF  of  1321  hours.  After  the 
application  of  the  Redundancy  Management  Techniques  and  Fault  Tolerant  Concepts 
discussed  in  Section  III,  the  MTBF  of  the  RAEEC  system  was  7965  hours.  This 
corresponds  to  a  redundancy  improvement  factor  of  2.6. 

Because  the  final  improvement  factor  for  Improved  thermal  redundancy  is  larger 
than  the  tentative  budgeted  factor  (2.6  vs.  2.3),  the  MTBF  of  the  system 
before  the  Redundancy  Techniques  are  applied,  is  not  3039  hours.  Applying  the 
redundancy  improvement  factor  results  in  a  system  MTBFiof  8923  hours. 

7.4  Vibration  Environment 

One  of  the  problems  to  be  overcome  with  an  engine  mounted  control  is  the  extreme 
vibration  environment  encountered.  The  intuitive  concept  of  high  vibration 
levels  adversely  affecting  reliability  has  gained  much  acceptance.  Qualitatively, 
this  concept  is  present  in  the  use  of  Environmental  Factors  in  MIL-HDBK-217B. 
Quantitatively,  in  Appendix  0,  an  attempt  is  made  to  determine  the  relationship 
between  vibration  levels  and  failure  rate  levels. 

In  order  to  reduce  the  vibration  impact  upon  reliability  a  comprehensive  approach 
to  vibration  isolation  and  packaging,  as  detailed  in  Section  III,  Mechanical 
Design,  will  be  necessary.  This  approach  is  expected  to  reduce  the  average 
overall  vibration  level  from  the  22.5  G's  experienced  by  the  FIDO  EEC  to  approx¬ 
imately  5.4  G's.  Using  the  curve  developed  in  Appendix  D  ,  the  Improvement 
factor  is  2.25.  This  raises  the  RAEEC  MTBF  from  8923  hours  to  20,076  hours. 


7,5  Interconnection  Technology 

The  extreme  vibration  environment  encountered  by  an  engine  mounted  control 
Impacts  heavily  upon  Interconnection  technology.  An  Intensive  effort  was  made 
to  reduce  the  failure  rate  contributions  of  the  interconnections.  (See  Section 
III).  Some  of  the  techniques  investigated  include: 

•  Minimization  of  the  number  of  Interconnections 

•  Improved  types  of  Interconnectors 

•  Minimization  of  the  number  of  separable  terminations 

•  Adoption  of  flat  packs  and  leadless  chip  carriers. 

A  trade  study  was  conducted  for  various  connectors,  I/O  cable  assemblies,  I/O 
cable  terminations,  etc.,  with  respect  to  their  Inherent  reliability  and  the 
quantity  necessary  to  accomplish  the  function.  The  trade  study  indicated  that 
the  type  of  the  Interconnectors  selected  for  use  In  the  RAEEC  program  showed 
a  2.15  factor  of  Improvement,  In  terms  of  reliability,  over  the  baseline  Inter¬ 
connectors.  However,  this  Improvement  factor  does  not  apply  to  the  entire  fail¬ 
ure  rate  of  the  syste.n,  but  only  to  the  percentage  of  the  failure  rate  attri¬ 
buted  to  the  Inter-connectors  (20%  of  the  system  failure  rate).  This  raises 
MTBF  from  20,076  hours  to  22,480  hours. 

7.6  Component  Technology 

In  order  to  meet  the  reliability  goal  for  the  RAEEC  system.  It  will  be  neces¬ 
sary  to  choose  the  appropriate  component  technology  based  not  only  on  functional 
Implementation  but  also  on  the  technology's  inherent  reliability.  As  detailed 
In  the  Development  Guide  Section  XI,  an  alternative  methodology  to  MIL-HDBK-217B 
was  developed  for  evaluating  the  reliability  of  a  design.  This  new  methodology 
Is  based  on  historical  data,  Hamilton  Standard's  experience,  and  Information 
obtained  from  Industry  surveys,  seminars  and  technology  transfer  conferences. 
This  method  compares  alternative  circuits  based  on  different  component  tech¬ 
nologies  for  reliability  maximatlon.  Comparison  Is  accomplished  by  the  use  of 
a  relative  Index  based  on: 

a.  Active  components 

•  Years  In  High  Yield/High  Volume  Production 

•  Years  to  Industry  Standard  Compatibility 

•  Proven  Space/MHItary  Applications 

•  Accelerated  Testing 

•  Component  Functional  Testability 
o  Inherent  Technology  Failure  Rate 


209 


b.  Functional  Fabrication  Level 

•  Number  of  Active  Devices 

•  Number  of  Other  Components 

•  Board  Area  Used 

•  Microcircuit  Junction  Temperature 

The  final  RAEEC  design  was  chosen  using  this  index  after  all  the  trade  studies 
were  completed  (Appendix  A).  The  improvement  factor  of  1.18  was  calculated' 
from  the  ratio  of  the  final  and  the  preliminary  RAEEC  system  Indices.  However, 
this  improvement  factor  does  not  apply  to  the  entire  failure  rate  of  the  system 
but  only  to  the  percentage  of  the  failure  rate  attributed  to  the  electronic 
components  (80%  of  the  system  failure  rate).  This  raises  the  MTBF  from  22,480 
hours  to  26,040  hours. 

7.7  Aflvanced  Component  Derating 

Recent  studies  have  Indicated  that  the  application  of  derating  principles  with 
respect  to  the  operating  voltage  for  CMOS  devices  yields  a  substantial  Improve¬ 
ment  In  device  failure  rates.  A  recent  study  by  RADC  demonstrated  that  a  10:1 
reduction  In  CMOS  device  failure  rates  Is  possible  for  devices  specified  at  18 
volts  and  operated  at  5  volts.  Early  results  from  two  other  ongoing  studies 
(IBM  &  Intel)  support  the  RADC  findings.  For  operation  at  voltages  between  5 
volts  and  18  volts,  the  Improvement  factor  was  assumed  to  vary  linearly  from 
10  to  1,  respectively. 

As  indicated  in  Section  III,  all  of  the  final  RAEEC  CMOS  devices,  with  the  excep¬ 
tion  of  the  SOS  HS  16/24  processor  and  two  other  CMOS  IC's,  operate  from  the  5 
volt  bus  Instead  of  the  10  volt  bus.  The  processor  still  operates  from  the'lO 
volt  bus  for  Improved  performance.  In  the  final  design,  the  CMOS  devices 
contribute  16%  of  the  series  summation  system  failure  rate.  Of  this  percentage 
of  the  series  summation  system  failure  rate  attributed  to  CMOS  devices,  71%  Is 
contributed  by  CMOS  run  from  the  5  volt  bus  while  29%  Is  contributed  by  CMOS 
run  from  the  10  volt  bus.  The  additional  failure  rate  reduction  associated 
with  this  change  in  operating  voltage  (10  volt  to  5  volt)  will  be  a  factor  of 
4.46.  This  was  calculated  as  follows: 

for  10  volt  operation  failure  rate  reduction  factor  »  2.24 

for  5  volt  operation  failure  rate  reduction  factor  =  10.0 

10.0  . 

for  10  volt  to  5  volt  change  failure  rate  reduction  factor  »  2.24  4.46 


210 


This  failure  rate  reduction  factor  applies  only  to  the  percentage  (16.5%)  of  the 
system  failure  rate  attributed  to  CMOS  devices  which  changed  from  operating  at 
10  volts  to  operating  at  5  volts.  This  raises  the  MTBF  from  26,040  hours  to 
28,515  hours. 

7.8  Component  Screens 

Reliability  improvement  factors  attributed  to  additional  screening  of  piece 
parts,  above  and  beyond  that  available  tf'.rough  military  standards,  are  limited 
to  those  screens  which  can  be  directly  traced  to  the  elimination  of  Infant  mor¬ 
tality  and  the  "freak"  distributions.  Infant  mortality  devices  remaining  In  the 
population  range  from  0.05%  to  0.3%  while  "freak"  distribution  devices  comprise 
2%  to  10%  of  the  population. 

A  comprehensive  screening  program  as  set  forth  in  Section  VIII  will  be  necessary 
to  ensure  that  the  infant  mortality  and  "freak"  populations  will  be  weeded  out. 
The  improvement  factor  of  1.5  was  assigned  based  on  the  fact  that  the  "freak" 
distribution  devices,  comprising  10%  of  the  population,  contribute  more  than  10% 
of  the  device  failure  rate,  as  experienced  in  use.  A  conservative  estimate  was 
made  for  the  improvement  factor.  The  literature  in  this  area  is  non-committal 
in  quantifying  the  improvement  that  can  be  expected  due  to  additional  component 
screens.  This  improvement  factor  is  applicable  to  integrated  circuits,  semicon¬ 
ductors  and  tantalum  capacitors  (55%  of  system  failure  rate).  Therefore,  the 
RAEEC  system  now  exhibits  an  MTBF  of  35,201  hours. 

7.9  Module  Assembly  Test  and  Screens 

The  module  level  of  assembly  represents  the  Initial  point  In  the  fabrication 
cycle  where  piece  parts  are  combined  Into  functional  circuit  entitles.  Here, 
the  aseembly  methods  and  manufacturing  processes  are  brought  to  bear  as  well. 

From  Section  VIII,  module  testing  affords  an  overall  improvement  to  the  perform¬ 
ance  of  the  system  in  the  field  both  in  customer  acceptance  and  observed  failure 
rates  - 

Assuming  the  functional  entities  to  be  Independent  from  the  constituent  piece 
part  on  the  basis  of  the  different  processes  and  methods  Involved,  one  can  reason 
that  a  new  set  of  failure  mechanisms  has  been  breached.  Approaching  the  Issue 
from  the  standpoint  of  the  existence  of  an  Infant  mortality  and  a  freak  distri¬ 
bution  within  the  population  permits  the  application  of  similar  Improvement 
factors  based  upon  the  stage  of  manufacture  and  the  piece  part  compositions  In¬ 
volved.  Included  are  the  failure  mechanisms  of  that  group  of  piece  parts  which 
has  yet  to  be  discussed  namely,  resistors,  all  nontantalum  capacitors,  magnetics 
and  sensor  mechanics  which  comprises  53%  of  the  sytem  failure  rate  at  this  stage. 
These  parts  will  be  subjected  to  accelerated  screening  at  the  module  test  level. 


Ignoring  the  Infant  mortality  contribution  of  less  than  0.5%,  the  density  of 
the  freak  population  of  2%  to  10%  applies  to  both  the  "unscreened"  parts  and 
the  functional  entitles,  1.e.,  modules.  Apportioning  the  improvement  factor 
of  1.11  for  the  "unscreened"  parts  plus  module  entitles  and  the  lower  limit  of 
1.02  for  the  "screened"  parts  to  account  for  the  effectiveness  of  the. module 
screens  results  In  an  overall  improvement  factor  of  1.07  bringing  the  MTBF  of 
the  system  from  35,201  to  37,520  hours. 

7.10  End  Item  Assembly  Level  Screening  and  Tests 

As  detailed  In  Section  XIII  the  controller  will  undergo  a  thermal  cycle  and 
vibration  screen  plus  a  functional  test  at  high  temperature.  The  severity  of 
the  screen  will  disclose  a  set  of  failure  mechanisms  peculiar  to  end  Item  level 
manufacture  and  functional  Interactions  between  modules.  It  may  also  unveil 
new  module  and/or  part  level  mechanisms  directly  Impacting  the  screening  approach 
at  those  lower  levels  of  assembly. 

While  an  Improvement  factor  resulting  from  end  item  testing  but  based  upon  piece 
part  failure  rates  cannot  be  quantitatively  substantiated  (a  4:1  Improvement  In 
customer  acceptance  rate  was  established  In  the  Development  Guide),  It  Is  known 
that  Improvement  In  observed  failure  rate  does  occur  as  a  direct  result  of  end 
Item  screening.  Our  progression  through  the  various  Improvement  categories  thus 
far  has  utilized  the  summation  of  piece  part  failure  rates  method  to  portray  an 
MTBF  Improvement  or  enhancement.  Retaining  the  same  approach,  thereby  avoiding 
the  contradiction  that  exists  between  the  base  of  piece  part  failure  rate  sum¬ 
mation  and  the  base  of  rates  of  acceptance,  the  Improvement  factor  applicable 
to  end  Item  testing  Is  assumed  to  be  1.11.  (See  Sumr.ary  for  the  discussion  on 
Interdependence.)  This  factor  applies  to  100%  of  the  system  failure  rate  rais¬ 
ing  the  MTBF  from  37,520  hours  to  41,648  hours. 

7.11  Summary 

The  analysis  began  with  a  determination  of  the  MTBF  for  the  RAEEC  baseline  using 
historical  piece  part  data  derived  from  the  FlOO  EEC  program.  The  Inherent 
MTBF  was  mofidled  to  Include  the  predicted  reliability  Improvements  resulting 
from  the  design  and  production  philosophy  for  the  RAEEC.  The  key  areas  of 
reliability  Improvement  are: 

•  Thermal  Environment  (2.6) 

•  Redundancy  (2.6) 

•  Vibration  Environment  (2.25) 

•  Interconnection  Technology  (2.15) 


212 


•  Component  Technology  (1.18) 

•  Advanced  Component  Derating  (4.46) 

•  Component  Screens  (1.5) 

•  Assembly  Tests  &  Screens  (1.11) 

Overall  Improvement  Factor  =  32 

As  can  be  seen  1n  Figure  75  ,  the  MTBF  of  the  RAEEC  starts  at  1320  hours  and 
climbs  to  approximately  42,000  hours  after  all  the  Improvements  are  Implemented. 

It  Is  Important  to  note  that  the  progression  to  42,000  hours  MTBF  was  calculated 
under  the  assumption  that  the  predicted  reliability  Improvement  factors  were 
Independent.  For  example,  It  was  assumed  that  an  Improvement  resulting  from 
component  screens  was  totally  Independent  to  the  Improvement  resulting  from 
Final  Assembly  Screens.  However,  In  the  "real  world",  this  assumption  Is  not 
valid.  An  Improvement  In  one  area  may  have  an  Impact,  favorably  or  adversely, 

In  one  or  more  areas. 

Because  the  Improvement  factors  are  not  totally  Independent  of  one  another, 
the  RAEEC  MTBF  of  41,648  hours  must  be  considered  an  optimistic  estimate.  The 
greater  the  Interdependencies  of  the  Improvement  factors,  the  less  the  overall 
Improvements. 

It  Is  estimated  that  80%  of  each  Improvement  Is  independent  In  every  case 
establishing  a  realistic  lower  limit  In  overall  Improvement  of  0.8  x  41  ,648  + 

1320  or  approlmately  25.  The  two  limits  have  been  plotted  In  Figure  75. 


213 


SECTION  VIII  TESTS  TO  ENHANCE  RELIABILITY  GROWTH 


8.1  Introduction 

This  section  of  the  Reliability  Enhancement  Study  addresses  the  implementa¬ 
tion  of  reliability  tests  and  screens  designed  to  enhance  the  reliability  of 
electronic  hardware  intended  for  use  in  an  environment  identified  as  hostile 
due  to  its  high  vibration  and  temperature  levels;  conditions  germane  to  an 
aircraft  engine  mounted  application.  The  testing  program  structured  herein 
emphasizes  the  performance  of  reliability  tests  at  the  key  points  of  develop¬ 
ment  and  production  cycles.  Among  the  key  points  identified  are  the  selec¬ 
tion  and  screening  of  piece  parts,  fabrication  and  test  of  both  polyimide 
and  ceramic  substrate  multilayer  printed  circuit  boards,  subassembly  or 
module  level  screening  and  end  item  level  acceptance  testing. 

During  the  development,  or  preproduction,  phase  emphasis  is  placed  upon  the 
establishment  of  those  screening  and  testing  conditions  which  will  be  the 
most  effective  in  ferreting  out  defect  and/or  marginal  parts  and  assemblies 
during  the  production  cycle.  From  various  industrial  reports  on  the  subject 
of  reliability  testing,  the  single  most  effective  screen  at  all  levels  of 
assembly  is  thermal  cycling.  A11  agree,  however,  that  the  optimum  condi¬ 
tions  of  the  thermal  cycle  screen  (its  rate  of  change,  temperature  range  and 
number  of  cycles)  are  dependent  upon  the  packaging  and  component  mix  of  the 
equipment  to  be  screened;  the  processes  involved  with  its  manufacture  as 
well  as  the  facilities  where  it  is  manufactured  influence  the  behavior  of  the 
equipment  to  a  degree  sufficient  to  also  affect  the  selection  of  thermal 
cycle  parameters. 

From  reference  41  an  approximation  of  the  categories  of  failures  detected  in 
mature  hardware  through  AGREE  (Environmental  Tester)  testing  is: 

Design  marginal ities  5% 

Workmanship  and  Process  Related  33% 

Faulty  Parts  62% 

It  is  further  asserted  that  the  temperature  soak  and  low  level  vibration  (usu¬ 
ally  2  g's  sinusoidal)  portion  of  the  AGREE  test  cycle  play  a  minor  role  in 
screening  effectiveness  causing  the  AGREE  test  method  to  be  "...  essentially 
equivalent  to  a  temperature  cycling  test  dependent  on  the  temperature  range, 
the  temperature  rate  of  change,  and  the  number  of  cycles." 

Other  reports,  such  as  those  prepared  by  Hughes  Aircraft  (Reference  42),  General 
Dynamics  (Reference  43),  and  Lockheed  (Reference  44),  contain  summaries  heralding 
the  effectiveness  of  thermal  cycling  in  enhancing  the  reliability  of  most  any  type 


215 


of  electronic  equipment.  The  Hughes  Aircraft  report,  for  example,  cited  results 
of  thermal  cycling  which  included  "...  a  50%  reduction  in  failure  rate  due 
to  board  stress  testing..."  at  the  end  item  level,  a  "...  25%  reduction  at 
AGREE  test...",  and  a  "4  to  1  reduction  in  failure  rate  at  customer  receiving 
inspection . " 

The  General  Dynamics  report  concluded  that  "fifty  percent  overstress  testing 

is  5  times  more  effective _  than  specification  level  testing",  and  "random 

vibration  is  2  times  more  effective...  than  specification  level  testing",  and 
"random  vibration  is  2  times  more  effective...  than  either  high  or  low  temper¬ 
ature  testing." 

Therefore,  the  following  general  rules  were  applied-in  the  development  of  the 
test  program  defined  herein. 

A  rational  degree  of  flexibility  must  prevail  throughout  the  test  program 
commencing  with  the  screening  of  piece  parts  and  proceeding  through  the  end 
item  level  acceptance  test.  Screens  that  produce  no  results  should  be  dis¬ 
continued  while,  at  the  same  time  those  that  continually  produce  meaningful 
results  should  be  retained.  As  defect  trends  or  failure  modes  are  identified 
through  testing  and  eliminated  through  follow-up  recurrence  control  measures, 
it  may  be  necessary  to  modify  the  conditions  of  the  screen  or  impose  an  en¬ 
tirely  different  screen  to  assure  reliability  enhancement.  The  ability  to 
alter  the  test  program  in  a  cost  effective  manner  and  essentially  at  will  to 
the  benefit  of  the  ultimate  customer  in  terms  of  equipment  longevity  and  fail¬ 
ure  free  operation  should  exist. 

The  worth  of  a  set  of  screens  at  a  given  component  or  assembly  level  is  to  be 
measured  and  evaluated  directly  from  test  results  at  the  next  higher  assembly 
level.  This  approach  provides  the  degree  of  interaction  between  test  levels 
nec'^ssary  to  allow  the  continuity  and  effectiveness  of  the  overall  test  pro¬ 
gram  to  surface.  The  general  idea  is  to  screen  defectives  out  at  the  lowest 
testing  level  possible. 

The  test  program  should  be  designed  to  increase,  not  measure,  reliability. 

This  means  the  test  conditions  should  provide  a  stress  of  sufficient  magnitude 
so  as  to  isolate  weak  sisters  and  be  performed  on  a  100%  basis.  Any  consistant- 
ly  failure  free  test  or  screen  is  an  immediate  candidate  for  discontinuation. 
Further,  the  "test-in"  reliability  approach  should  require  the  shortest  time 
feasible  in  order  that  the  effectiveness  of  the  overall  program  may  be  under 
constant  appraisal.  Measurement  of  reliability  testing  similar  to  that  of 
MIL-STL)-78l  is  extremely  slow,  very  expensive,  usually  conducted  on  a  minimum 
number  of  units  and  carries  the  stigma  where,  in  the  results,  any  failure  poses 
a  liability. 


216 


8.2  Piece  Part  Screening 


The  objective  of  100%  screening  at  the  piece  part  level  is  to  weed  out  infant 
mortality  plus  latent  defects  comprising  the  "freak"  distribution  defined  in 
method  1016  of  MIL-STD-883B.  While  the  majority  of  infant  mortality  defects 
are  screened  out  through  the  100%  process  conditioning  specified  in  Established 
Reliability  procurement  specifications  (i.e.,  MIL-R-55182)  and  other  military 
standards  (i.e.,  MIL-STD-883) ,  additional  screening,  generally  accelerated, 
is  required  to  adequately  screen  out  those  latent  defects  which  manifest  them- 
selvas  at  higher  assembly  level  testing.  Since  these  failure  modes  must  first 
be  identified,  it  is  necessary  to  perform  accelerated  testing  on  samples  of 
individual  piece  part  types  and  families  within  types  to  establish  the  optimum 
accelerated  conditions  which  will  efficiently  manifest  those  modes  at  the  part 
screening  level;  i.e.,  through  a  100%  accelerated  burn-in.  The  reliability 
of  the  balance  of  the  lot,  having  been  screened  through  these  accelerated 
burn-in  condition,  is  thereby  greatly  enhanced. 

The  following  paragraphs  address  the  recommended  test  programs  per  basic  piece 
part  (reference  41)  type.  It  must  be  recognized,  however,  that  the  part  man¬ 
ufacturer  may  have  conducted  similar  tests  on  his  devices.  Once  ascertained, 
the  test  results  should  be  evaluated  in  terms  of  commonality  and  applicability 
to  the  programs  outlined  herein.  Should  the  manufacturers  data  aaequately 
satisfy  the  requirements  stated,  both  quantitatively  and  statistically  (i.e., 
variance  analyses,  goodness  of  fit,  Arrhenius  plots,  Eyring  equations,  etc.), 
his  accelerated  test  conditions  should  be  incorporated  in  the  interest  of 
economy. 

8.2.1  Integrated  Circuits 

Test  guidelines  pertaining  to  piece  parts  emanating  from  the  NASA  sponsored 
studies  conducted  by  Martin-Marietta  (reference  41)  are  listed  below  with  some 
commentary. 

Integrated  Circuits 

"1.  100%  electrical  testing  and  burn-iri  for  a  minimum  of  240  hours 

is  mandatory  for  screening  out  defective  devices.  For  programs 
requiring  the  highest  reliability,  consideration  must  be  given 
to  burn-in  for  longer  than  240  hours,  or  at  higher  temperatures, 
because  the  internal  elements  of  integrated  circuits  cannot  be 
stressed  to  their  rated  capability," 

It  is  their  consideration  to  burn-in  at  higher  temperatures  that  is  of  primary 
interest  in  this  reliability  enhancement  study.  As  found  in  other  independent 
studies  (references  45  and  46)  accelerated  or  high  temperature  burn-in  is  an 


effective  means  of  culling  devices  containing  latent  infant  mortality  related 
defects  (termed  "long  term  failure  mechanisms")  from  a  lot  or  lots  of  inte¬ 
grated  circuits.  Again,  the  rule  that  processes,  facilities,  etc.,  involved 
with  its  manufacture  influence  the  reliability  of  the  end  item,  here,  a  de¬ 
vice,  applied  making  it  necessary  to  evaluate  each  device  type  and/or  manufac¬ 
turer  contemplated  for  use  in  the  production  of  a  black  box  systems  element. 

During  the  design  and  development  phase,  the  accelerated  screening  criteria 
are  to  be  developed  on  a  per  device  level  (Figure  76).  Commencing  with  the 
procurement  of  integrated  circuits  screened  to  at  least  level  B  of  MIL-STO- 
883,  each  device  type  is  to  be  subjected  to  step  stressing  per  applicable 
portions  of  method  1016  of  MIL-STO-883  the  stress  conditions  of  which  are  to 
be  selected  as  a  function  of  device  type/technology.  The  performance  of  PIND, 

Bond  strength  testing  and  Scanning  Electron  Microscope  examinations  on  a 
sample  basis  plus  detailed  failure  analyses  on  all  step  stress  test  rejects 
will  identify  problem  manufacturers  and  device  failure  mechanisms.  Collective¬ 
ly,  these  results  including  evaluation  of  step  stress  testing,  are  the  tools 
with  vvhich  the  initial  conditions  of  procurement,  accelerated  burn-in,  and 
additional  screening  of  detailed  parts  are  to  be  structured  for  production  builds. 

The  resulting  screening  program  applicable  to  integrated  circuits  during  the 
production  phase  of  the  program  is  depicted  in  Figure  77.  The  highlights  of 
the  screening  program  are  the  continuous  evaluation  of  the  screening  against 
yield  information  derived  from  next  higher  level  testing,  and  the  flexibility 
of  the  screening  program  in  responding  to  changes  in  requirements  brought 
about  by  lot  variations,  change  in  sources,  etc.,  usually  during  a  long  term 
production  run. 

"2.  1007o  Pre-cap  visual  inspection  to  standards  superior  to  that 

required  by  MIL-STO-883  is  required  to  detect  time-dependent 
failure  mechanisms  resulting  from  scratches,  pin-holes,  re¬ 
sidues  and  improperly  controlled  processing." 

The  latest  issue  of  MlL-STD-883  contains  a  more  stringent  pre-cap  visual  in¬ 
spection  than  the  issue  in  existence  during  the  preparation  of  the  NASA  study, 
howeve'",  the  test  condition  applicable  to  level  "S"  is  more  rigorous  than  that 
of  level  "B".  Depending  upon  program  needs  or  in-house  test  results  it  may  be 
necessary  to  impose  condition  "A"  internal  visual  inspection  requirements  when 
procuring  to  MIL-STO-883  level  "6"  specifications. 

"3.  100%  bond  pull  testing  is  currently  quite  controversial,  but 

is  recommenced  herein  because  it  is  being  successfully  performed 
by  Autonetics,  Fairchild,  and  others,  and  without  evidence  of 
the  possible  degradation  postulated  by  the  companies  that  have 


216 


ELGCTPiCAu 

STEP  STRESS 
PER  AHOliCABlE 

MEASUR- 

■R.  t.  ' 

METmOO  t0i6 
mil  -STO-e8J 

'  irc  •;  \ 

CLtCTPlCAL 

V  MtNTS  / 


SAMPLE  BO-^O  I 
STRCMGTh  I 


DATA 

EVALUATION 

DU'NE. 

GOLDTHWAITE. 
ARRHtNIUS  plots: 


tESTABi-lSHMENT  \ 

OF  accelerateo  I 

BURN-  IS  conditions  I 
SELECTION  OF  / 
,  MFuR'S  / 


OCVICES 
PROCURED  TO 
VilL  STD-cA: 

lG\.Gl  B  CP  a 


OETAILEO 

FAII.UNL 

ANALYSES 


sample  SEm. 
PftOFlLOMETRiC 
eXAMINATiCNS 


results  failure  mechanisms  I 


FIGURE  76  ESTABLISHMENT  OF  ACCELERATED  BURI4-IN  CONDITIONS  (DESIGN  8c 
DEVELOPMENT  PHASE.  FOR  INTEGRATED  CIRCUITS) 


219 


z 


FIGURE  77  1009^  SCREENING  OF  INTEGRATED  CIRCUITS 
DURING  PRODUCTION  PHASE 


not  investigated  and  adopted  this  technique.  Bond  pull  tests 
are  needed  since  the  acceleration  and  shock  tests  do  not  detect 
bad  bonds  because  of  the  very  small  mass  of  the  wire  involved." 

100%  bond  pull  testing  remains  a  controversial  issue  today  and  should  be  im¬ 
posed  only  when  considered  remedial. 

"4.  Submit  a  wafer  sample  from  each  metallization  run  to  a  detailed 
scanning  electron  microscope  inspection  to  assure  uniform  and 
continuous  metallization  over  window  cuts  and  oxide  steps,  to 
avoid  undercutting  and  water  fall  effects  from  oxide  etch,  to 
detect  oversintering,  and  to  verify  mask  alignment.  Inspection 
at  the  wafer  level  is  the  most  economical  ooint  in  the  process 
sequence  for  performance.  Screening  tests  are  not  100%  effective 
in  detecting  these  faults  and  further  costly  processing  is 
avoided." 

Mot  considered  cost  effective  at  the  system,  manufacturing  level  due  lo  the 
fact  that  a  single  order  placed  may  be  filled  by  integrated  circuits  from  a 
number  of  different  metallization  runs,  t  more  efi'ective  utilization  of  the 
SEM  screen  by  the  systems  house  would  be  to  conduct  SEM  inspections  on  sam¬ 
pled  devices  as  part  of  his  part/manufacturer  evaluation  program. 

"5.  Submit  a  wafer  sample  from  each  netal 1 ization  run  to  a  pro- 
filometer  test  to  verify  metallization  thickness  and  avoid 
electromigration  problems." 

Same  observation  as  indicated  for  SEM  above. 

"6.  Perform  the  qualification  tests  of  Group  C  in  l!IL-i  1-38510  in 
sequence  on  the  same  group  of  parts  as  opposed  to  performing 
the  tests  in  parallel.  This  will  impose  the  additive  effects 
of  environments  that  are  more  realistic  to  real  life  use.  Also, 
the  screening  effectiveness  can  be  evaluated." 

As  defined  in  MIL-M-38519.  Group  C  is  a  periodic  inspection  not  usually  con¬ 
ducted  on  each  lot.  When  conducted  as  part  of  the  qualification  procedure, 
the  qualification  approved  status  is  valid  for  a  period  of  12  months,  during 
which  requalification  is  not  required.  Therefore,  the  value  of  performing 
the  Group  C  tests  in  sequence  as  opposed  to  parallel  is  questionable  when 
considering  overall  contribution.  A  further  opposing  argument  is  the  limited 
availability  and  related  high  cost  of  fully  qualified  integrated  circuit  types. 
Systems  manufacturers,  due  to  these  cost  and  availability  considerations, 
tend  to  procure  integrated  circuits  from  reputable  houses  to  industrial 
standards,  process  through  MIL-STD-883  screening  and  qualify  them  by  next 
higher  assembly. 


?21 


A  more  meaningful  recommendation,  or  test  guideline,  would  have  been  to 
include  a  more  stringent  thermal  cycle  test  on  each  lot  produced  in  light 
of  the  general  finding  of  the  study  regarding  the  benefits  of  accelerated 
^thermal  cycling. 

8,2.2  Discrete  Semiconductors 

"1,  A  100%  nondestructive  interconnect  wire  pull  is  recommended 
to  eliminate  defective  wire  bonds.  Sound  bonds  will  not  be 
degraded. " 

While  the  worth  of  such  a  screen  is  undisputed,  an  alternate  approach  would 
be  to  impose  both  forward  and  backward  instability  shock  tests  as  required 
for  JANS  devices,  due  to  the  rather  high  cost  of  performing  100%  bond  tests. 

"2.  A  rigorous  pre-cap  visual  inspection  of  the  die  and  header 
assembly  is  essential  to  eliminate  common  assembly  defects. 

Perform  die  inspection  (preferably  at  the  wafer  or  die  level) 
to  eliminate  defective  die." 

Procurement  to  either  JANS  or  JNTXV  levels  of  MIL-S-19500  would  fulfill  this 
requirement.  Where  reliability  requirements  wairant,  the  precap  visual  exam¬ 
ination  should  be  to  MSFC  85MC3924  criteria,  incidentally,  at  any  reliability 
level . 

"3.  Screening  tests  on  100%  of  the  parts,  which  include  burn-in, 

HTRB,  thermal  cycling,  mechanical  shock,  hermeticity,  and 
parametric  tests  arc  essential  to  eliminate  defective  parts." 

Procurement  to  JANS  level  of  MIL-S-19500  fulfills  the  above,  however,  the 
above  test  series  does  not  adequately  address  "freak"  distributions,  the 
elimination  of  which  is  essential  for  reliability  enhancement.  Figure  78 
depicts  Che  screening  flow  for  discrete  semiconductors  during  production  and 
preproduction  phases  designed  to  weed  out  the  "freak"  distribution.  Again, 
the  screening  conditions  to  be  applied  during  the  production  phase  are  those 
identified  through  step  stressing  discretes  during  the  preproduction  phase. 
Results  of  next  higher  assembly  (NHA)  level  testing,  i.e.,  module,  are  to  be 
factored  into  the  high  temperature  burn-in  conditions  sucii  that  a  high  degree 
uf  efficiency  may  be  maintained  during  the  part  screening  exercise. 

While  procurement  to  JANS  level  of  MIL-S-19500  fulfills  the  above  require¬ 
ments,  cost  and  availability  of  level  "S"  devices  may  be  prohibitive  partic¬ 
ularly  since  latent  defects  that  may  remain  still  must  be  screened  out.  Sub¬ 
jecting  JNT  devices  to  additional  screening  assures  availability,  lower  ini¬ 
tial  cost,  and  control  over  the  screening  exer^i.w. 


222 


E-470J 


FIGURE  78  100^  ACCELERATED  SCREENING  FLOW  FOR  DISCRETE 
SEMICONDUCTORS 


8.2.3  Tantalum  Capacitors 


As  stated  in  Reference  41,  tantalum  electrolytic  capacitors  are  less  reliable 
than  other  types.  In  the  case  cited  therein,  of  4622  capacitors  used,  the  6 
failures  involved  only  tantalum.  No  differentiation  between  solid  and  nonsolid 
electrolite  devices  was  made.  The  test  guidelines  included  in  Reference  41  are 
discussed  below  for  both  solid  and  nonsolid  tantalum  types  where  type  designa¬ 
tions  are  pertinent. 

"1.  Tantalum  capacitors  should  be  qualified  to  the  requirements  of 
MIL-C-39003  or  MIL-C-390C6  level  P,  as  a  minimum.  Additional 
program-peculiar  requirements  should  be  added  as  required." 

Present  QPL  listings  suggest  level  R  requirements  be  selected  as  a  minimum 
due  to  their  availability;  i.e.,  from  more  than  one  source.  There  are  a  few 
exceptions,  however,  where  the  minimum  of  level  P  would  apply  to  avoid  single 
sourcing. 

QPL-39003  (Solid  Tantalum) 

Types  CSR33 

QPL-39Q06  (Nonsolid  Tantalum) 

Types  CLR79 

(Single  sources  only  exist  for  the  following  types  -  CLRIO,  14,  17,  69, 

89  usage  of  which,  therefore,  is  to  be  discouraged  until  second  sources 
have  qualified). 

"2.  Radiographic  inspection  on  100%  of  the  devices  should  be  made 
in  accordance  with  more  comprehensive  inspection  criteria  such 
as  in  MSFC-STD-355  to  detect  anomalies  more  effectively". 

(Applies  only  to  solid  tantalum  capacitors;.  The  100%  radiographic  examina¬ 
tion  criteria  of  MIL-C-39003  is  considered  adequate  for  aerospace  programs 
excluding  extended  duration  manned  space  expeditions.  The  implementation, 
however,  of  the  more  comprehensive  radiographic  inspection  criteria  of  MSFC- 
STD-355  would  be  beneficial  as  a  remedial  action. 

"3.  Burn-in  should  be  increased  to  a  minimum  of  240  hours  at  rated 
voltage  at  85  C  with  tight  delta  limit  criteria.  Stability  is 
an  indication  of  reliability  and  present  durations  are  not  suf¬ 
ficiently  long  to  detect  all  parts  with  instabilities.  Read  arid 
record  measurements  of  capacitance,  dissipation  factor,  and  leakage 


224 


should  be  made  before  and  after  burn-in  on  100%  of  the  devices". 

"4.  Accelerated  tests  are  applicable  to  solid  tantalum  capacitors. 

Caution  is  required  in  applying  these  techniques  to  foil  or  wet 
slug  capacitors  as  electrolyte  breakdown  may  occur  at  relatively 
low  voltages  creating  a  new  failure  mechanism". 

The  burn-in  criteria  of  current  issues  of  MlL-C-39003  and  MIL-C-39006  remain 
inadequate.  But  to  improve  the  burn-in  and  then  perform  accelerated  testing 
which  ultimately  reflects  back  to  the  burn-in  criteria  is  less  time  efficient 
than  conducting  a  component  evaluation  program  employing  step  stress  testing 
to  arrive  at  an  optimum  burn-in. 

The  fact  that  low  temperature  (circa  ISZ^C)  solder  is  used  in  the  manufacture 
of  solid  tantalum  capacitors  and  the  manganese  dioxide  layer  is  extremely  sen¬ 
sitive  to  temperature,  particularly  above  125°C,  dictates  an  acceleration  of 
rated  voltage  in  lieu  of  temperature.  It  also  supports  the  demand  for  stringent 
controls  over  their  circuit  applications. 

Shown  in  Figures  79  and  80  are  step  stress  test  programs  for  solid  tantalum 
capacitors  and  nonsolid  tantalum  capacitors,  respectively,  designed  to  estab¬ 
lish  optimum  burn-in  criteria  which  would  afford  reliability  enhancement  at 
minimum  expense  and  schedule  impact. 

The  value  of  applied  voltage  is  to  be  established  as  a  function  of  case  size 
and  capacitance  value.  The  values  shown  in  Figure  79  are  applicable  to  those 
case  sizes  requiring  a  minimum  of  110%  of  rated  DC  voltage  as  an  applied  stress. 
This  minimum  value  may  not  exceed  130%  iti  which  case  the  three  step  stress 
levels  would  be  110%,  120%,  and  130%.  Caution  must  be  exercised  in  the  appli¬ 
cation  of  the  voltages  in  that  the  intended  value  should  be  reached  through  a 
gradual  increase  instead  of  through  a  step  function. 

For  nonsolid  tantalum  capacitors,  the  restriction  of  maximum  applied  temper¬ 
ature  is  relaxed  because  low  temperature  solder  is  not  employed.  Therefore, 
as  shown  in  Figure  80,  the  step  stress  is  a  function  of  temperature  as  opposed 
to  voltage.  The  voltage  to  be  applied  during  the  step  stress  test  is  100%  of 
the  SS^C  rated  value. 

Once  the  optimum  burn-in  conditions  and  associated  reject  criteria  have  been 
established  from  results  of  the  step  stress  testing,  100%  of  the  tantalum 
capacitors  should  be  subjected  to  the  accelerated  burn-in  as  defined  in  Fig¬ 
ure  81.  Hermeticity  per  standard  methods  should  be  performed  following 
accelerated  burn-in.  Where  acid  electrolytes  are  used  (normally  in  nonsolid 
devices)  a  litmus  paper  or  th.ymol  blue  test  should  be  added  to  the  usual  leak 
test  (Reference  41), 


225 


FIGURE  80  STEP  STRESS  TEST  OF  NON-SOLID  TANTALUM  CAPACITORS 
(PREPRODUCTION  PHASE) 


227 


The  accelerated  burn-in  conditions  should  also  be  subject  to  alteration  or 
refinement  as  a  result  of  next  higher  level  assembly  screening. 

8.2.4  Multilayer  Epoxy  or  Polyimide  Printed  Circuit  Boards 

1.  "A  test  coupon  from  each  production  board  containing  80  to  100 
plated-through  holes,  connected  in  series,  should  be  temperature 
cycled  between  -65°  and  110°C,  and  increased  electrical  resistance 
should  be  cause  for  rejection  of  the  production  boards. 

For  programs  with  a  nominally  mild  temperature  environment 
50  temperature  cycles  are  recommended.  For  more  severe  appli¬ 
cations,  200  temperature  cycles  are  recommended". 

From  the  list  of  failure  mechanisms  germane  to  multilayer  printed  circuit 
boards,  the  mechanisms  having  the  most  impact  on  circuit  functions  are  either 
short  or  open  circuits.  While  the  spectrum  of  short  circuit  causes  cannot  be 
completely  eliminated  through  in-line  inspection  and  process  control  measures, 
it  can  be  substantially  reduced.  The  same  statement  applies  to  the  spectrum 
of  open  circuit  causes  but  for  one  subtlety  -  open  circuit  fa. lures  are,  by 
far,  more  time/temperature  dependent. 

The  majority  of  open  circuit  failures,  obviously,  involves  the  plated  through 
hole  of  the  multilayer  board.  Failures  are  manifested  by  cracks  or  separa¬ 
tions  of  the  barrel  of  the  hole  from  the  terminal  pads  of  one  or  more  layers 
through  which  the  barrel  passes.  (As  stipulated  in  Reference  47  the  primary 
factor  affecting  the  long  life  of  multilayer  boards  is  the  ductility  of  the  copper.) 

This  failure  mechanism  also  occurs  during  solder  processing  wherein  the  board 
and  its  plated  through  holes  sustain  the  severe  thermal  shock  associated  with 
flow  or  wave  soldering  as  well  as  hand  soldering.  In-house  studies  (ref.  48) 
have  shown  that  a  rather  substantial  improvement  in  reliability  through  the 
reduction  of  open  circuit  failures  (based  upon  %  rejects)  results  from  the 
selection  of  polyimide/glass  over  epoxy/glass  printed  circuit  board  materials. 

While  the  use  of  polyimide  over  epoxy  base  material  is  encouraged,  the  100% 
screening  test  outlined  in  Figure  82  would  apply  equally  to  either  with  a 
possible  adjustment  in  number  of  thermal  cycles. 

A  first  article  inspection  to  the  criteria  of  MIL-P-55640  is  recommended  for 
each  printed  circuit  configuration  manufactured  due  to  the  fact  that  each 
board  design  is  normally  unique. 

Test  coupons  should  be  specialized  to  best  represent  the  complexity  of  the 
printed  circuit  board.  A  test  coupon  directly  traceable  to  the  board  it 
represents  and  comprised  of  80  to  100  plated  through  holes  should  be  included. 


229 


The  plated  through  holes  should  be  connected  in  series  in  such  a  manner 
that  the  connection  of  the  pad  of  one  layer  to  the  pad  of  a  different  layer 
is  made  through  the  barrel  of  a  plated  through  hole.  In  no  case,  should  a 
conductor  path  on  an  individual  layer  be  connected  to  more  than  2  plated 
through  holes  at  one  time.  (See  Figure  83.) 

The  coupons  containing  the  series  connected  plated  through  holes  configured 
per  the  sketch  should  be  subjected  to  from  50  to  200  temperature  cycles  depend¬ 
ing  upon  the  severity  of  the  use  environment.  In  the  case  of  engine  mounted 
hardware  where  temperature  excursions  are  acute,  200  cycles  are  recommended. 

The  suggested  temperature  extremes  are  to  110®C  (reference  41).  A  ther¬ 

mal  gradient  of  about  20‘’C  per  minute  is  adequate  based  upon  module  level 
testing  conducted  by  Hughes  (Reference  42).  The  selection  of  US'C/minute 
was  based  upon  the  gradient  required  to  complete  200  thermal  cycles  in  72  hours 
with  a  minimum  dwell  at  temperature  extremes.  (Note:  the  17.'5 °C/minute  grad¬ 
ient  is  that  to  be  experienced  by  the  test  coupon,  not  the  temperature  chamber 
volume) . 

The  accept/reject  criteria  to  be  applied  is  the  delta  resistance  of  the  80  to 
100  plated  through  holes  connected  in  series  (R  initial  +10%).  Following  an 
accept  decision,  the  temperature  cycle  test  should  be  continued  for  3000  cycles 
simulating  a  10  year  life  of  the  multilayer  printed  circuit  board  in  normal 
aircraft  usage. 

2.  "Acceptance  tests  should  also  include  temperature  shock  tests 
siinulating  the  wave,  or  the  hand  soldering  operations,  since 
thermal  induced  warping  of  the  boards  tends  to  cause  cracks 
between  the  inner  copper  planes  and  the  plated-through  hole." 

Group  A  inspection  of  MIL-P-55640  should  be  conducted  on  a  tightened  AQL,  or 
better,  100%  basis.  In  addition,  thermal  shock  per  method  107  of  MIL-STD- 
202,  test  condition  B  should  be  performed. 

8.3  Subassembly  Level  (Module)  Screening 

The  effectiveness  of  a  comprehensive  screening  program  at  the  lower  assembly 
level  of  a  production  run  has  been  questioned  for  decades.  The  answer  in¬ 
evitably  was  that  the  measurably  small  improvement  realized  did  not  justify 
the  cost  of  implementation.  The  principal  reason  for  this  lack  of  effective¬ 
ness  was  recently  determined  to  be  the  rather  benign  environmental  conditions 
utilized.  The  cost  of  module  level  test  equipment  falls  out  of  the  argument 
against  subassembly  screening  because  it  has  become  an  accepted  program  ele¬ 
ment,  particularly,  where  the  subassembly  has  a  high  density  factor  and  circuit 
complex ity. 


231 


BARREL  CONDUCTOR 


E-5759 


FIGURE  83  PRINTED  CIRCUIT  BOARD  PLATED  THRU  HOLES 


Numerous  studies  by  independent  firms  (t^eferences  42,  43,  44)  conducted  on  high 
volume  production  modules  show  a  definite  improvement  in  end  item  reliability 
attributable  to  subassembly  thermal  cycling  and  screening.  Results  indicate 
maximum  screening  effectiveness  is  achieved  when  the  number  of  thermal  cycles 
is  between  20  and  40  and  the  rate  of  temperature  change  between  15  C  and  25  C 
per  minute.  Complexity  plays  a  major  role  in  determining  the  most  effective 
rate  of  change  for  a  particular  module;  generally,  the  more  complex  modules 
require  smaller  rates  of  change.  (Here  we  could  define  a  complex  module  as 
being  a  multilayer  polyimide  printed  circuit  board  containing  200  piece  parts 
the  majority  of  which  being  active  parts,  and  2000  solder  joints). 

8.3.1  Preproduction 

8. 3. 1.1  Polyimide/Gl ass  Printed  Circuit  Board  Assemblies 

During  the  development  phase  of  the  program  the  determination  of  the  stresses 
and  levels  which  will  provide  optimum  screening  effectiveness  (measured  at 
the  next  higher  assembly  level)  is  to  be  accomplished.  Figure  84  depicts  the 
lOO/i  screening  of  polyimide  printed  circuit  board  modules  designed  to  establish 
the  optimum  rate  of  temperature  change  utilizing  a  fixed  number  of  cycles  and 
temperature  ranges.  These  characteristics  have  been  fixed  at  20  and  -40°C  to 
+100°C,  respectively,  to  reduce  the  number  of  variables.  Additionally,  these 
values  are  representative  of  the  optimum  conditions  derived  from  the  aforemen¬ 
tioned  industrial  studies.  The  option  to  increase  the  number  of  cycles  or  the 
range  between  temperature  extremes  can  be  exercised  depending  upon  design 
analysis,  con riquration/complexi ty,  level  of  piece  part  screening  as  well  as 
from  results  obtained  from  preproduction  tests. 

A  preproduction  batch  of  modules  is  divided  into  3  equal  sub-batches  each  of 
which  is  subjected  to  20  thermal  cycles  differing  only  by  the  thermal  gradient. 
(See  Figure  85).  Dwell  time  at  temperature  extremes  should  be  less  than  10 
minutes . 

Assuming  a  dwell  time  of  10  minutes  the  length  of  test  will  range  from  10.4 
to  12.9  hours  depending  upon  the  thermal  gradient  employed.  The  traceability 
of  a  module  to  its  thermal  gradient  sub-batch  should  be  maintained  through  end 
assembly  testing  enabling  the  determination,  from  next  higher  assembly  levels, 
of  that  thermal  gradient  which  minimizes  the  failure  occurrance  of  that  module 
type.  Once  determined,  the  thermal  gradient  should  be  utilized  during  produc¬ 
tion  testing. 


The  estimated  yield  through  thii  subassembly  level  thermal  screen  will  exceed 
90%  and  through  the  end  item  level  screening,  approach  i00%. 


1^‘INISHED  STORES 
BATCH 


KITTING 


FIGURE  84 


batch 


PS  operating 

DURING  WARMUP 
PORTION  OF  CYCLE 


E-56B7 


100%  SCREENING  OF  POLYIMIDE  P.  v'  BOARD  MODEL  DURING 
PREPRODUCTION  PHASE 


234 


8. 3. 1.2  Alumina  Ceramic  Modules 


The  alumina  ceramic  printed  circuit  board  is  a  composite  of  ceramic  insulating 
layers,  interconnect  patterns  and  a  thick  film  alumina  (AL2O3)  substrate.  The 
resulting  monolithic  unit  is  a  sturdy,  physically  stable  and  thermally  con¬ 
ductive  device  affording  maximum  device  density  and  long  term  high  reliability. 

The  physical  properties  of  the  alumina  ceramic  were  taken  into  account  when 
developing  the  100%  screening  program  shown  in  Figunt  £6  and  related  to  a 
module  comprised  of  leadless  chip  carriers  (LCC)  mounted  or  the  alumina  .sub¬ 
strate  board.  Its  high  thermal  stability  and  ease  of  rework  characteristics, 
permit  both  the  substrate  and  the  LCC  packs  as  a  completed  module  assembly 
(less  connector)  to  be  thermal  cycled  concurrently. 

The  screening  approach  parallels  that  discussed  earlier  for  polyinide  printed 
circuit  board  modules  excpet  the  temperature  extremes  have  been  increased  to 
-65  C  and  +150  C.  The  ceramic  module  minus  the  printed  circuit  board  connector 
should  be  subjected  to  thermal  cycling  after  which  the  connector  is  to  be 
assembled,  completing  the  ceramic  module  subassembly. 

S .  3 . 2  Production 

That  thermal  cycle  level  of  the  three  conducted  on  preproduction  niodules  which 
manifests  the  most  anomalities  "ring  miodulo  level  screening  but  the  least 
number  of  module  failures  of  '  tame  module  at  the  next  higher  level  screening 
level  is  to  be  selected  as  tf"  .•ruduction  level  module  screen.  That  the  screen 
levels  selected  over  the  family  of  module  types  may  vary  between  types  is  to  be 
anticipated. 

The  effectiveness  of  the  selected  screen  should  be  monitored  continuously  at 
the  next  higher  assembly  screening  level.  In  the  event  a  new  failure  mechanism 
develops  identified  by  an  increase  in  module  failures  at  the  next  higher  assem¬ 
bly  level,  tiie  screening  program  for  the  designated  module  type  should  be 
examined.  Options  are  tc  "ary  the  number  of  thermal  cycles,  the  temperature 
range,  or  institute  a  pen  test  tailored  to  trie  detection  of  the  specific 
anomality.  Varying  the  n,  'er  of  cycles  snciild  be  avoided  except  as  a  last 
resort.  The  above  is  o.,tl  ined  in  Figures  87  and  3S. 

8.4  Final  Assembly  Level  Screening 

Our  effort  tc  compress  the  front  end  of  the  life  cycle  of  a  given  equipment 
wherein  failures  usually  iaentified  as  customer  returns  are  corrected  before 
initial  shipment  culminates  at  the  final  assembly  screening  level.  Here, 
the  effectiveness  of  module  level  screening  is  r.ieasur.eab  le  per."  i  tting,  also, 
an  assessment  of  the  moouie  fabrication  processes  to  oe  made.  What  remains 
is  the  proving  of  the  fabrication  processes  related  co  end  item  level  assembly 
and  assurance  testing  the  physical  and  functional  interactions  of  the  con¬ 
stituent  [I'.odules  and  subassemblies. 


FAILURE 

ANALYSES 


FINISHED 

STORES 


FIGURE  86  100%  PREPRODUCTION  SCREENING  OF  MODULES  INCORPORATING 
LCC  AND  CERAMIC  SUBSTRATES 


RECYCLE 

FAIL 


KITTING 

1 

1 

ASSEMBLY 

INSPECTION 

TEMP  CYCLE 
-4O“C-»+iO0®C 
A  T«X 

DWELL  =  10MIN 
20  CYCLES 

1009^ 

1 

& 

FUNCTIONAL 

PAT 

X-B®C/MIN  AS  DETERMINED 
DURING  PRE-PRODUCTION 

P.  S.  OPERATING  DURING 
WARMUP  PORTION  OF  CYCLE 


RESULTS 
OF  NEXT 
HIGHER 
ASSY 
TESTING 


TO 

FINISHED 

STORES 


E-5752 


FIGURE  87  100^  SCREENING  OF  MODULES  INCORPORATING  POLYIMIDE 

P.C.  BOARDS  DURING  PRODUCTION  PHASE 


238 


FIGURE  88  100*?^  SCREENING  OF  PRODUCTION  MODULES  INCORPORATING 

LCC  AND  CERAMIC  SUBSTRATES 


The  design  of  a  high  reliability  assenbly  normally  includes  redundancy  with 
the  best  form  of  redundancy  being  the  physical  and  electrical  separation  of 
the  redundant  paths.  Complete  physical  and  electrical  separation  is  usually 
unattainable  in  the  pure  sense  due  to  package,  control  function  and  cost  con¬ 
straints.  But  in  the  practical  sense,  enough  physical  and  electrical  separa¬ 
tion  may  exist  when  additional  external  interconnect  on  circuitry  is  incor¬ 
porated  in  the  test  bed  to  permit  each  path  to  be  exercised  independently. 

Where  the  equipment  design  or  prograi:i  requirements  do  not  lend  themselves  to 
optimally  separate  redundant  paths,  obviously,  the  conditions  of  tne  screen¬ 
ing  test  conducted  must  be  adjusted.  The  screening  program  shown  in  Figure  89 
has  been  developed  with  consideration  given  to  optimum  physical  and  electrical 
separation  between  redundant  paths.  When  this  feature  is  too  limited  or  non- 
existant  the  primary  section  path  of  the  figure  would  apply. 

The  conditions  for  thermal  cycling  on  end  item  assembly  or  equipment  are  de¬ 
pendent  upon  the  parts  mix,  processes  involved  and  the  complexity  of  the  end 
itGii'i.  Taken  from  Reference  47  (page  11-16)  is  the  grapli  entitled,  "Generalized 
Temperature  Cycling  Failtre  Rate  Curves  as  a  Function  of  [quipment  Complexity", 
shown  herein  as  Figure  90  which  represents  the  composite  of  tlieir  industry 
survey  data  normalized  to  show  the  typical  relationship  between  complexity  and 
number  of  required  temperature  cycles  necessary  to  detect  incipient  failures. 

As  can  be  seen,  the  more  complex  equipments  require  more  cycles.  From  the 
same  data  the  recommended  number  of  thermal  cycles  for  various  coirplexity 
levels  was  derived  as  1,  3,  6  and  10,  respectively,  for  complexities  of  100, 
500,  2000  and  4000  electronic  parts. 

The  credibility  of  having  one  cycle  accomplish  the  intended  result  is  ques¬ 
tionable,  particularly  when  another  recommendation  given  was  that  the  last 
cycle  should  be  failure  free.  Re-examining  the  curve  of  Figure  90  iri  terms 
of  net  improvement  of  increasing  the  number  of  cycles  to  that  number  which 
more  closely  corresponds  to  the  flat  portion  of  ttie  curve  one  '■an  readily 
recognize  an  approximate  3  to  1  reduction  in  risk  of  a  field  failure  for  the 
case  where  complexity  is  100  parts  by  increasing  the  number  of  cycles  to  3. 
Improvement  factors  in  the  area  of  2  to  1  for  the  other  complexity  levels  are 
also  recognizable  at  the  cost  of  a  few  additional  thermal  cycles. 

Following  the  guidelines  given  in  Reference  47,  as  modified  above,  the  number 
ot  cycles  may  be  determined  as  a  function  of  the  equipment  complexity  per  the 
following  scale  expanded  in  Figure  91’  for  extrapolation  purposes. 

Number  of  Cycles 


Number  of  Electronic  Parts 


FIGURE  89  PRODUCTION  ACCEPTANCE  TEST  OF  END  ITEM  EQUIPMENT 


COMPLEXITY  (NO  OF  ELECTRONIC  PARTS  IN  HUNDREDS)  OF  END  ITEM 


FIGURE  91  DETERMINATION  OF  NUMBER  OF  TEMPERATURE  CYCLES 
AS  A  FUNCTION  OF  EQUIPMENT  COMPLEXITY 


The  thermal  cycle  screen  shown  in  Figure  39  is  based  on  an  equipment  com¬ 
plexity  taken  from  the  above  for  2000  electronic  parts  corresponding  to  10 
thermal  cycles  (from  Figure  91).  The  important  aspects  of  the  temperature 
range  are  (1)  that  there  should  be  a  delta  of  at  least  160''F  (71°C)  between 
upper  and  lower  extremes,  and  (2)  that  it  should  be  representative  of  the  use 
environment.  Since  in  the  equipment  application  being  dealt  with  here,  the 
temperature  extremes  normally  are  -40°C  and  +100°C,  they  were  selected  as  the 
thermal  conditions  of  the  lOO/o  screen.  What  will  have  the  most  effect  in 
causing  incipient  failures  to  occur  during  the  10  cycles  of  thermal  cycling 
is  the  temperature  gradient. 

The  most  effective  thermal  gradient  for  a  given  equipment  will  be  that  which 
best  represents  that  found  during  its  use  environment.  The  normal  range  of 
thermal  rates  of  change  found  should  be  between  1°C  and  22‘’C  and  that  the 
higher  gradients  are  the  most  effective  when  utilized  as  a  screen.  The  engine 
mounted  environment  in  which  hardware  must  provide  continuous  service  over  a 
number  of  years,  normally  can  be  considered  to  be  one  of  the  most  severe.  De¬ 
sign  aspects  built  into  the  hardware  such  as  externally  supplied  cooling  and 
vibration  isolation,  tend  to  reduce  the  severity  of  the  engine  environment, 
however.  In  any  case  if  one  considers  the  range  of  use  environments  to  be 
scaled  from  1  to  10  with  the  most  benign  being  1,  the  most  severe  being  10, 
the  engine  mounted  environment  would  be  ranked  in  the  vicinity  of  10  (See 
Figure  92).  Tlie  profile  of  the  specified  use  environment,  in  other  words, 
must  be  completely  understood  before  an  intelligent  judgement  in  the  selection 
of  a  thermal  gradient  intended  as  the  rate  of  change  in  temperature  during  a 
thermal  cycling  test  can  be  made.  The  entiancement  of  reliability  at  the  end 
item  screening  level  is  dependent  upon  the  ability,  or  effectiveness,  of  the 
screening  process  in  isolating  incipient  failure  mechanisms  that  would  ordin¬ 
arily  occur  early  in  the  life  cycle  of  the  hardware.  Having  determined  the 
severity  level  of  the  use  environment  as  being  between  8  and  10,  the  thermal 
gradient  to  be  applied  during  the  temperature  cycle  screen  approximates  22°C/ 
rnin  in  the  worst  case. 

Dwell  time,  the  final  parameter  to  be  established,  should  be  between  1  and 
10  minutes.  From  the  various  referenced  publications,  the  general  concensus 
is  that  temperature  soak  periods  do  little  to  enhance  reliability.  Therefore, 
it  is  necessary  only  to  establish  thermal  stability  at  either  extreme  and  con¬ 
tinue  cycle  testing.  But  to  assure  maximum  effectiveness  of  the  thermal  grad¬ 
ient,  equipment  should  be  turned  off  on  the  down  trend  and  be  turned  on  when 
the  temperature  upswing  commences. 

equipment  should  be  thermal  cycled  with  covers  off  where  mechanically  feasible. 
Studies  have  shown  that  covers  offer  some  insulation  from  the  cooling  medium 
to  the  inner  parts  and  assemblies. 


244 


E-6705 


FIGURE  92  TEMPERATURE  RATE  OF  CHANGE  OF  EQUIPMENT  IN  ITS  USE 
ENVIRONMENT  BY  SEVERITY  RANK 


While  it  may  be  cost  prohibitive  to  perform  functional  testing,  even  on  a 
limited  scale,  during  the  temperature  cycling  test,  key  output  parameters 
should  be  monitored  through  some  simplified  means  to  alert  test  personnel  of 
the  occurrance  of  a  fail  condition.  Special  attention  should  be  given  to  the 
determination  of  the  condition  of  the  key  parameters  during  the  last  cycle, 
however,  since  this  last  cycle  should  be  failure  free.  In  the  event  a  failure 
occurs  during  the  thermal  screen  additional  temperature  cycles  are  to  be  con¬ 
ducted  as  a  function  of  the  complexity,  ease,  and  quality  of  workmanship  of 
the  resulting  repair  action.  Useful  as  a  guide  in  making  this  determination 
is  the  following  based  upon  excerpts  of  Reference  47. 


Number  of  Final  Consecutive  Temperature  Cycles 
Which  must  be  survived  by  the  Repaired/Replaced 
Portion  of  the  Hardware* 

Percentage  of  Total 

Parts  Repaired/Replaced 

4000  Parts  2000  Parts  500  Parts  100  Parts 

(14  Cycles)  (10  Cycles)  (5  Cycles)  (3  Cycles) 

0  to  0.1% 

0.1%  to  1% 

1%  to  5% 

5%  to  10% 

1  1  N/A  N/A 

2  1  1  N/A 

4  2  11 

6  4  2  1 

*Additional  cycles,  as  appropriate,  should  also  be  added  when  the  repair 
cannot  be  easily  and  reliably  performed. 

Finally,  having  completed  the  temperature  cycle  test,  a  complete  standard 
functional  test  should  be  performed  at  ambient  temperature  to  determine  the 
integrity  of  the  balance  of  the  parameters.  The  resulting  data  in  conjunction 
with  the  failure  data  emanating  from  the  thermal  cycle  test  is  to  be  evaluated 
in  terns  of  module  sensitivity.  From  this  evaluation  the  effectiveness  of  the 
module  level  screening  is  to  be  measured.  In  the  ideal  case,  all  module  re¬ 
lated  failures  have  been  isolated  during  module  testing  and  what  remains  are 
end  item  assembly  peculiar  fai lure  mechanisms.  Should  the  analysis  effort  prove 
the  existance  of  a  module  related  failure  mechanism,  the  module  level  screen¬ 
ing  condHions  should  be  adjusted  accordingly. 


246 


Returning  to  the  production  acceptance  testinq  of  the  end  item,  from  Figure 
89  the  next  screen  is  random  vibration.  The  extensive  study  and  evaluation 
efforts  referenced,  conclusively  show  that  sinusoidal  vibration  levels  con¬ 
tained  in  MIL-STD-781B  are  ineffective.  Experience  at  Hamilton  Standard  also 
echoes  the  conclusion  reached.  Support  is  given  to  random  vibration  for  30 
minutes  in  each  axis  with  equipment  operating  and  of  course  monitored.  The 
levels  selected  should  be  at  least  maximum  specified  values. 

A  complete  functional  test  would  follow  the  random  vibration  screen  to  ascer¬ 
tain  that  all  parameters  remain  within  specified  limits.  The  temperature  at 
which  the  final  functional  is  to  be  conducted  should  be  the  specified  maximum 
operating  temperature,  particularly  during  the  development  (preproduction) 
phase  and  should  be  conducted  on  enough  hardware  items  to  statistically  prove 
the  end  item  at  that  temperature.  When  the  qualitative  analysis  supports  the 
decision,  reverting  to  the  more  simple  ambient  of  25®C  could  be  done. 

Penalty  tests  should  be  devised  to  screen  any  end  item  peculiar  failure  mech¬ 
anisms  on  an  as  required  basis  depending  upon  screening  results  and/or  cus¬ 
tomer  returns.  Again  the  penalty  test  incorporated  at  the  end  item  level 
should  be  aimed  at  resolving  process,  assembly,  or  test  problems  germane  to 
the  enti  assembly.  Where  a  failure  mechanism  can  be  isolated  to  a  lower  level 
of  assembly,  the  incorporation  of  the  penalty  test  should  be  at  that  level 
where  economically  feasible. 

8.5  Reliability  Development  Testing 

A  significant  contribution  to  accelerating  the  maturity  of  equipments  can  be 
attained  by  the  employment  of  CERT  (Combined  Environmental  Reliability  Test) 
testing  on  electronic  engine  controls.  CERT  is  a  form  of  reliability  test 
that  is  oriented  toward  "developing"  reliability  rather  than  "demonstrating 
fixed"  reliability.  The  reliability  development  test  process  is  particularly 
useful  in  the  engine  control  area  because  comparable  field  experience  is 
accrued  at  an  extremely  low  rate,  perhaps  as  low  as  25  hours  per  month  per 
aircraft.  At  this  rate  it  could  conceivably  take  years  before  MTBF  values 
such  as  25,000  hours  can  be  substantiated.  The  cost  of  implementing 
corrective  actions  on  user  owned  equipment  is  exorbitant,  logistically 
difficult  to  administer,  and  reduces  system  availability.  Thus,  the  overall 
purpose  of  CERT  is  to  accumulate  several  thousand  control  operating  hours  in 
a  simulated  real  world  environment  with  early  production  units.  The  process 
objective  then  is  to  ensure  theoretically  and  empirically  that  follow-on 
production  controls  will  enter  service  with  a  high  MTBF.  This  is  illustrated 
in  Figure  93. 


247 


- 1 - - - 


1 

EVALUATE 

NEXT 

CORRECTIVE 

GENERATION 

ACTIONS 

GUIDE  LINES 

EXERCISE  A  SAMPLING  OF  CONTROLS 
IN  REALISTIC  FLIGHT  ENVIRONMENT 


EVALUATE 

COMPONENTS 


CONFIRM  DESIGN 
APPLICATIONS 


EXTEND  SELF¬ 
DIAGNOSTICS  & 
FAULT 
TOLERANCE 


FIGURE  93  CERT  OBJECTIVES 


The  CERT  test  facility  provides  sensor  inputs  and  output  loads  for  control 
operation.  The  environmental  conditions  which  are  obtained  from  actual 
flight  profiles  are  applied  in  cycles  and  the  performance  of  the  controls 
monitored.  Figure  94  illustrates  a  hypothetical  reduction  of  real  world 
conditions  to  CERT  test  conditions. 

The  CERT  program  should  be  operated  in  a  test-fix-retest  with  delayed  desiqn 
fixes  at  three  points.  This  is  shown  in  Figure  95  as  points  FI,  F2  and  F3 
on  the  time  scale.  The  reliability  of  the  control  is  expected  to  show  growth 
during  the  test  intervals  with  a  jump  expected  at  the  time  of  the  delayed 
fixes. 

The  increases  in  reliability  at  the  time  of  delayed  fixes  occur  as  a  result 
of  a  closed  loop  corrective  action  system.  Each  failure  during  the  CERT 
test  period  is  analyzed  for  cause.  The  cause  of  the  failures  are  categor¬ 
ized  and  collected  into  general  areas  of  responsibility  such  as  components, 
workmanship,  design,  etc.  A  decision  is  made  to  fix  immediately  or  delay  the 
fix  to  the  next  milestone.  Previous  fixes  are  closely  monitored  from  the 
time  of  incorporation  far  recurrence  to  evaluate  the  effectiveness  of  any 
changes  made  to  the  control. 

The  past  practice  of  purging  all  failures  associated  with  a  failure  mode  that 
has  theoretically  been  eliminated  by  a  fix  will  not  be  followed  when  assessing 
reliability.  This  practice  is  an  unnecessary  and  unacceptable  procedure  when 
applied  to  reliability  assessment.  With  the  recent  advances  in  reliability 
growth  procedures  and  mathematical  modeling,  purging  is  unnecessary  because 
of  the  newer  statistical  methods  to  analyze  data  with  changing  failure  rates. 

In  the  case  for  projecting  reliability  growth,  it  may  be  necessary  to  weight 
some  of  the  failure  modes  based  on  a  percentage  of  fix  effectiveness  when 
subsequent  test  data  indicates  a  decrease  in  the  failure  rate  for  that  mode. 

At  the  conclusion  of  the  CERT  test  phase  of  the  program,  the  generalized  growth 
curve  in  Figure  95  shows  an  initial  drop  in  projected  reliability.  This  drop 
is  expected  to  offset  the  gains  which  could  be  anticipated  for  the  last  de¬ 
layed  fix.  This  lov/ered  value  of  expected  growth  is  caused  by  differences  in 
actual  versus  simulated  environments  and  field  personnel  unfamiliarity  in 
handling  and  maintaining  a  nev;  product.  However,  the  reliability  growth  rate 
is  expected  to  quickly  resume  the  projected  growth  rate  after  a  short  shakedown 
period . 


249 


FLIGHT  PROFILE 


TEST  CONDITIONS 


ALTITUDE 


MACH  NO. 


flight 

TEST  DATA 


ALTITUDE 


DEWPOINT 


METAL  TEMPERATURE 


AiR  TEMPERATURE 


AIR  FLOW 


MISSION 


VIBRATION  TIME 


TIME 


E-6214 


FIGURE  ^>4  CERT  TEST  CONDITIONS 


■  .jiiitit-i-J  ,  „  ill  iH’toilti 


8.6  Reliability  Growth  Modeling 

The  development  of  designs  and  growth  tests  must  be  evaluated  by  sound  mathe¬ 
matical  techniques.  The  timely  application  and  accuracy  of  these  techniques 
is  necessary  to  assure  that; 

a.  They  will  aid  in  the  program  planning  so  that  milestones  may 
be  put  into  perspective  with  respect  to  the  reliability  goals. 

b.  They  will  identify  and  quantify  the  impact  of  corrective  actions. 

c.  They  will  aid  in  allocation  and  reallocation  of  resources  to 
achieve  goals  within  the  other  program  constraints. 

d.  Optimization  of  the  reliability  growth  process  is  achieved. 

3.6.1  Generalized  Statistical  Analysis 

A  Generalized  Statistical  Analysis  Flow  Chart  is  shown  in  Figure  36  which 
presents  a  summary  of  the  basic  notions  on  how  a  reliability  growth  analysis 
should  be  performed.  There  are  a  great  number  of  details,  required  to  per¬ 
form  a  specific  analysis  but  broadly  speaking,  the  flow  chart  shows  the  main 
steps  in  an  analysis. 

The  reliability  growth  modeling  presented  in  the  remainder  of  this  guide  v.ill 
primarily  be  conceined  with  the  Non-homogeneous  Poisson  Process  (NHPP)  which  is 
also  known  as  the  Army  Material  Systems  Analysis  Activity  (AMSAA)  reliability 
growth  model , 

8. 6. 1.1  Trend  Testing 

Trend  tests,  i.e.,  tests  to  determine  whether  there  is  a  long  term  tendency 
for  successive  times  between  failures  to  become  smaller  (or  larger)  are  dis¬ 
cussed  next.  If  a  trend  exists  the  Non-homogeneous  Poisson  Process  is  the 
simplest  stochastic  process  which  may  be  an  adequate  representation.  It  is 
possible  that  a  more  complex  model  may  be  required,  but  it  has  been  shown  no 
such  model  for  repairable  system  reMability  is  really  necessary  fromi  a 
statistical  viewpoint. 

The  simplest  way  to  perform  a  trend  test  is  to  plot  cumulative  number  of  fail¬ 
ures  versus  cumulative  operating  time  a.s  in  the  upper  part  of  Figure  97.  If 
times-between-fai lures  ate  tending  to  become  smaller  and  suialler,  a  concave 
up  shape  v.'ill  result  as  depicted  in  the  figure,  Conversely,  if  the  times  are 
getting  larger,  the  plot  will  be  concave  down.  An  alternate  proceoure  is  to 


E-5700 


FIGURE  96  GENERALIZED  STATISTICAL  ANALYSIS  FLOW  CHART 


estimate  the  average  rate  of  occurrence  of  failures  in  three  or  more  subinter¬ 
vals.  In  Figure  98,  P(t)  is  estimated  for  each  subinterval  by  dividing  the 
number  of  failures  in  that  subinterval  by  to/3.  Wearout  (growth)  is  indi¬ 
cated  if  the  successive  estimates  become  larger  (smaller).  In  extreme  enough 
cases  eyeball  analyses  of  such  plots  wi^l  be  adequate  to  disclose  reliability 
growth  or  long  term  wearout.  In  most  c  ^es,  however,  quantitative  tests  will 
be  necessary. 

Under  the  null  hypothesis  of  a  homogeneous  Poisson  Process  the  Ti  will  be  in¬ 
dependent  and  uniformally  distributed  on  (0,  to).  Hence,  for  critical  values 
corresponding  to  the  5%  level  of  significance, 


n 


can  be  considered  to  be  unit  normal  distributed,  for  n  as  small  as  3,  under 
the  null  hypothesis.  This  test  has  the  following  simple  interpretation: 
under  wearout  (growth)  the  Ti  will  tend  to  occur  after  (before)  the  midpoint 
of  the  observed  interval.  Hence,  under  wearout  (growth),  n  will 

r  Ti/n  to 
i  =  l 

tend  to  be  large  (small).  In  other  words,  significantly  large  (small)  values 
of  the  standardized  variate 


show  significant  evidence  of  wearout  (growth).  Since  this  test  is  so  simple 
to  implement  and  to  interpret,  it  may  appear  to  be  "quick  and  dirty".  Actu¬ 
ally,  however,  it  has  been  shown  to  be  an  optimum  rest  against  at  least  two 
plausible  models  by  Cox  (1955)  and  Bates  ( 1955) . 


Laplace's  test  is  not  consistent  against  alternatives  where  the  rate  of 
occurrence  of  failure  is  non-monotone  in  such  a  way  that  E(l'Ti/n  tg)  =  1/2. 
In  this  case,  a  test  developed  by  Hollander  and  Prosctian  (1974)  is  superior. 


CUMUU\TIVE 

FAILURES 

N  (T) 


FIGURE  97  CUMULATIVE  FAILURES 


AVERAGE 
FAILURE  RATE 
P(T) 


l  "~"  I  I 

Ifi,  2  To  To 

3  3 

CUMULATIVE  TIME 


FIGURE  98  AVERAGE  FAILURE  RATE 


8. 6. 1.2  AMSAA  Reliability  Growth  Model 


8. 6. 1.2.1  Basis  of  the  model  The  US  Army  Material  Systems  Analysis  Activity 
(AMSAA)  employs  a  stocKastic  process  to  model  reliability  growth.  This  model 
adequately  represents  the  improvement  in  reliability  during  deve1oprri,eiit  for 

a  wide  variety  of  systems.  It  is  applicable  to  systems  for  whicii  usage  is 
measured  on  a  continuous  scale,  for  example,  time  in  hours  or  distance  in 
miles.  For  the  sake  of  simplicity  usage  is  referred  to  as  time  in  the  sequel, 
Duane  (50)  first  observed  that,  for  each  of  several  systems,  the  number  of^ 
failures  accumulated  at  total  operating  time  t  could  be  approximated  by  >.t^ 
in  which  Aand ySwere  positive  parameters  which  varied  from  one  system  to  an¬ 
other.  The  exponent  must  be  less  tf.:iM  one  for  representation  of  reliability 
growth.  Historical  data  indicate  that  intensive  reliability  improvement  pro¬ 
grams  are  character i zed  by  this  parameter  being  in  the  range  from  .5  to  .7. 

8. 6. 1.2. 2  Stochastic  formulation  Crow  (Reference  61)  formulated  a  statistical 
model  to  descrioe  the  pattern  of  reliability  growth.  This  model  provides  that 
the  average  number  of  failures  accumulated  by  time  t  is  expressed  as  \t  ^  ,  but 
the  actual  number  of  failures  observed  to  that  time  is  a  random  variable  des¬ 
cribed  by  the  Weibull  process.  Other  references  on  this  process  include  Kemp- 
thorne  and  Folks  (Reference  52),  Englehardt  and  Bain  (Reference  53),  Bassin 
(Reference  54j,  Crow  (Reference  55  and  56),  Finklestein  (Reference  57),  and  Lee 
and  Lee  (Reference  58).  This  development  supplies  methods  for  calculating 
statistically  valid  estimates  o'^  the  mean  time  between  failures  which  the  system 
would  exhibit  if  no  further  improvements  are  incorporated.  This  constitutes  a 
means  for  monitoring  reliability  growth  during  the  development  process. 

8. 6. 1.2. 3  Cumulative  number  of  failures  The  total  number  of  failures,  R(t), 
accumulated  on  all  test  items  in  cumulative  test  time  t  is  a  random  variable 
with  the  Roisson  distribution.  The  probability  that  exactly  n  failures  occur 
between  the  initiation  of  testing  and  total  test  time  t  is 

P  j  ( t )  =  n  }  =  m(t)'^  e-^(t) 

n ! 

in  which  m(t)  is  the  mean  value  ■'"unction;  that  is,  the  expected  number  of 
failures  expressed  as  a  function  of  test  time.  To  describe  the  reliability 
growth  process  this  function  is  of  the  form 

m( t )  =  ^  t  ^ 

in  which  \  and /3  are  positive  parameters. 


?56 


8. 5. 1.2. 4  Number  of  failures  in  an  interval  The  number  of  failures  occur¬ 
ring  in  the  interval  from  test  time  3  until  test  time  b  is  a  random  variable 
having  the  Poisson  distribution  with  mean 

m(b)  -  m(a)  =  A'b^  -  a^  ). 

The  number  of  failures  occurring  in  any  interval  is  statistically  independent 
of  the  number  of  failures  in  any  interval  which  does  not  overlap  the  first 
interval.  Only  one  failure  can  occur  at  any  instant.  The  time  history  of  the 
cumulative  number  of  failures  is  said  to  be  a  non-homogeneous  Poisson  process 
0!“  more  precisely  a  Weibull  process, 

5. 6. 1.2. 5  Intensity  function  The  rate  of  change  of  the  mean  value  function 
is  called  the” intensity  function  of  the  process.  For  the  reliability  growth 
process  the  intensity  function  is 

Pit)  =Apt^‘' 

The  probability  of  the  occurrence  of  a  failure  between  time  t  and  time  t+h  is 
approx  imate  ly  pi t )  h  if  the  increment  h  is  sufficiently  small.  The  intensity 
function  is  sometimes  called  the  failure  rate;  however,  this  concept  is  dif¬ 
ferent  from  that  of  the  failure  rate  or  hazard  rate  of  a  life  distribution. 

Caution  should  be  exercised  so  that  the  two  ideas  are  not  confused.  The  para¬ 
meter  A  is  called  a  scale  parameter  because  it  depends  upon  the  unit  of  mea¬ 
surement  chosen  for  t.  The  parameter^ is  of  prime  importance  because  it 
characterizes  the  shape  of  the  graph  of  the  intensity  function.  IfPis  equal 
to  one,  the  intensity  function  is  constant.  In  that  case  the  reliability  of 
the  system  is  not  changing  since  the  times  between  successive  failures  are 
independent  identically  distributed  randoni  variables  with  an  exponential  dis¬ 
tribution  with  meanA'*  .  If  Pis  not  equai  to  one  the  times  between  successive 
failures  are  not  identically  distributed  and  do  not  have  exponential  distri¬ 
butions.  For  3  development  process  during  which  the  system  improves  the  shape 
parameter  Pis  less  than  one,  and  typically  not  less  than  .5.  In  this  case 
the  expected  number  of  failures  in  an  ir.terval  of  fixed  length  decreases  as 
its  starting  point  increases.  In  a  poorly  managed  reliability  program  improper 
aesign  changes  can  result  in  degradation  of  system  reliability.  This  situa¬ 
tion  15  characterized  by  values  of  the  shape  parameter p greater  than  one.  This 
indicates  that  the  number  of  failures  expected  in  a  fixed  increment  of  time  is 
increasing  with  time. 

3.6.  1.2.5  Mean  time  between  Failures  Parameters  such  as  mean  time  between 
failures  are  used  conventionally  to  represent  the  reliability  performance  of 
rapairabls  systerrs.  The  use  of  these  parameters  to  completely  characterize 
reliability  reflects  the  assumption  that  the  times  between  failures  are  iden- 


ticaily  distributed.  In  particular,  it  is  commonly  assumed  that  these  limes 
come  from  the  same  exponential  distribution.  This  corresponds  to  the  special 
case  of  the  reliability  growth  process  in  which  the  shape  parameter  is  one. 

This  special  case  is  called  a  homogeneous  Poisson  process.  It  is  proper  to 
use  the  reliability  growth  model  to  predict  a  volue  of  the  mean  time  between 
failures  for  such  a  system.  While  it  is  in  development  the  occurrence  of 
failures  follows  the  reliability  growth  process  with  a  decreasing  intensity 
function  if  the  system  is  improving  due  to  design  changes.  When  production 
commences  the  design  is  fixed  and  therefore  no  further  reliability  improvement 
is  assumed.  The  constant  value  of  the  intensity  function  for  the  production 
model  should  be  approximately  equal  to  the  value  of  the  intensity  function  at 
the  end  of  development  testing.  Thus,  the  anticipated  mean  time  between  fail¬ 
ures  for  the  production  model  is  equal  to  the  reciprocal  of  the  intensity  func¬ 
tion  if  the  system  is  improving  due  to  design  changes.  When  production  com¬ 
mences  the  design  is  fixed  and  therefore  no  further  reliability  improvement 
is  assumed.  The  constant  value  of  the  intensity  function  for  the  production 
model  should  be  approximately  equal  to  the  value  of  the  intensity  function  at 
the  end  of  development  testing.  Thus,  the  anticipated  mean  time  between  fail¬ 
ures  for  the  production  model  is  equal  to  the  reciprocal  of  the  intensity  func¬ 
tion  at  the  end  of  the  development  phase. 

8 . 6 . 1 . 3  Reliability  Growth  Assessment 

8. 6. 1.3.1  Graphical  estimation  Plots  derived  from  the  failure  data  provide 
a  graphic  description  of  test  results.  They  furnish  the  analyst  a  means  to 
examine  the  nature  of  the  data.  Graphical  methods  can  also  be  used  to  obtain 
rough  estimates  of  the  reliability  parameters  of  interest  in  the  reliability 
growth  process.  Two  types  of  graphs  are  described  below.  The  first  tells  the 
analyst  if  growth  is  obviously  demonstrated  by  the  data.  The  second  method 
goes  further  since  it  provides  rough  estimates  of  the  two  parameters  in  the 
expression  for  the  intensity  function. 

8. 6. 1.3. 2  Average  failure  frequency  plots  Construction  of  a  plot  of  the 
average  failure  frequencies  observed  during  testing  yields  a  crude  approxima¬ 
tion  of  the  intensity  function.  To  construct  such  a  plot  divide  the  elapsed 
test  time  into  at  least  three  nonoverlapping  intervals.  These  nonoverlapping 
intervals  can  be  on  unequal  length.  Next  calculate  the  frequency  of  occurrence 
of  failures  within  each  interval  by  dividing  the  number  of  failures  in  the 
interval  by  its  length.  Plot  the  failure  frequency  as  a  horizontal  line  at 

the  appropriate  ordinate.  The  line  should  extend  over  the  abscissas  correspond¬ 
ing  to  time  within  the  interval.  Any  significant  increasing  or  decreasing 
trend  in  the  intensity  function  should  be  apparent  from  this  plot. 


258 


8. 6, 1.3. 3  Cumulative  failure  plots  A  graph  of  the  observed  cumulative  number 
of  failures  plotted  against  cumulative  test  time  on  full  logarithmic  paper 
furnishes  crude  estimates  of  the  parameters  wiiich  describe  the  intensity  func¬ 
tion.  Taking  logarithms  in  the  expression  for  the  mean' value  function  yields 
the  result 


In  m(t)=  lnA+/3lnt 

Therefore,  the  expression  for  the  mean  value  function  is  represented  by  a 
straight  line  on  full  logarithmic  paper.  A  line  drawn  to  fit  the  data  points 
representing  the  cumulative  number  of  failures  at  the  time  of  each  failure 
occurrence  is  a  suitable  approximation  of  the  true  line.  The  ordinate  of 
the  point  on  the  line  corresponding  to  t  equal  to  one  is  an  estimate  of  A. 

The  actual  slope  of  the  line  as  measured  with  a  ruler  yields  an  estimate  of  the 
shape  parameter /S.  Alternate  methods  include  the  plotting  of  the  cumulative 
numbers  of  failures  divided  by  cumulative  test  time  or  the  reciprocal  of  that 
quantity.  If  either  of  those  methods  is  used,  the  method  for  estimating  the 
parameters  is  slightly  more  complicated. 

8. 6. 1.3. 4  Statistical  estimation  Modeling  reliability  growth  as  a  non-homo- 
geneous  Poisson  process  permits  the  assessment  of  the  demonstrated  reliability 
performance  by  statistical  procedures.  The  method  of  maximum  likelihood  pro¬ 
vides  estimates  of  the  scale  parameter  A  and  the  shape  parameter /J.  These  esti¬ 
mates  are  used  in  estimation  of  the  intensity  function.  The  reciprocal  of  the 
current  value  of  the  intensity  function  is  the  mean  time  between  failures  that 
the  system  would  extiibit  in  the  absence  of  further  improvements.  Procedures 
for  point  estimation  and  interval  est'imation  of  mean  time  between  failures_ 

are  described  below.  The  data  employed  in  the  estimation  consists  of  a  failure 
times  from  testing  terminated  at  a  given  time  or-  from  testing  terminated  at  the 
occurrence  of  a  specified  number  of  failures.  The  procedures  vary  sliohtly 
for  these  two  types  of  tests.  A  goodness  of  fit  test  to  determine  whether 
the  model  is  appropriate  to  describe  the  data  is  also  described  below.  If  the 
exact  times  of  failure  occurrence  are  unknown,  it  may  still  be  possible  to 
utilize  the  reliability  growth  model.  This  is  the  case  when  inspections  are 
conducted  to  uncover  hidden  failures.  Procedures  to  use  In  that  instance  are 
described  by  grouped  data. 

8. 6. 1.3. 5  Time  terminated  testing  The  procedures  described  in  this  section 
are  to  be  used  to  analyze  data  from  tests  which  are  terminated  at  a  predeter¬ 
mined  time  or  tests  which  are  in  progress  with  data  available  through  some 
time.  The  required  data  consists  of  the  cumulative  test  time  on  all  systems 
at  the  occurrence  of  each  failure  as  well  as  the  accumulated  test  time.  To 
calculate  the  cumulative  test  time  of  a  failure  occurrence  it  is  necessary  to 
sum  the  test  time  on  every  system  at  that  instant.  The  data  then  consists  of 
the  N  failure  times  X],  X2,  ....  X^  which  occur  prior  to  the  accumulated  test 
time  T. 


259 


8. 6. 1.3. 6  Point  estimation  The  method  of  maximum,  likelihood  provides  point 
estimates  of  the  parameters  of  the  reliability  growth  process.  The  estimate 
of  the  shape  parameter  is 


il  In  T  -  X  In  Xi 
i-1 

A 
A 

Subsequently,  the  scale  parameter  >.  is  estimated  byx  =  N/T  .  It  follows  that 
for  any  time  t  the  intensity  function  is  estimated  by^(t)  =  In 

particular,  this  holds  for  T,  the  accumulated  test  time.  The  reciprocal  of 
^  (T)  provides  an  estimate  of  the  mean  time  between  failures  which  could  be 
anticipated  if  the  system  configuration  remains  as  it  is  at  time  T.  If  the 
reliability  program  is  expected  to  continue  without  any  shift  in  emphasis  or 
environment,  then  tlie  intensity  function  may  be  projected  into  the  future  to 
predict  the  benefit  of  continued  attempts  to  improve  reliability.  Although 
the  estimators  use  all  failure  occurrences,  the  model  is  effectively  self¬ 
purging,  The  estimator  ^(T)  can  be  written  as  (N/T).  Note  that  N/T  would 
be  the  estimate  of  the  intensity  function  for  a  homogeneous  Poisson  process. 
Hence,  the  fraction  (1-^)  of  the  failures  are  effectively  eliminated. 

8. 6. 1.3. 7  Interval  estimation  Interval  estimates  provide  a  measure  of  the 
uncertainty  regarding  the  cfemonstration  of  reliability  by  testing,  t-ur  the 
reliability  growth  process  the  parameter  of  primary  interest  is  the  mean  time 
between  failures  that  the  system  would  exhibit  after  the  initiation  of  pro¬ 
duction.  The  probability  distribution  of  the  point  estimate  of  the  intensity 
function  at  the  end  of  the  test  is  the  basis  for  the  interval  estimate  of  the 
true  value  of  the  intensity  function  at  that  time.  The  values  in  Table  31 
facilitate  computation  of  confidence  interval  estimates  for  the  mean  time 
between  failures.  The  table  provides  two-sided  interval  estimates  on  the 
ratio  of  the  true  MTGF  to  the  estimated  MTBi  for  several  values  of  the  confi¬ 
dence  coefficient.  If  the  number  of  failures  is  N  and y is  the  selected  con¬ 
fidence  coefficient,  then  the  appropriate  tabular  values  are  Ln,/  and  UNiV  . 

The  interval  esti:uate  of  MTBr  is 

LK,y  <  MTBF 

TT)  “ 

Because  the  number  of  failures  has  a  discrete  probability  distribution,  these 
interval  estiniates  are  conservative,  that  is,  the  actual  confidence  coefficient 
is  slightly  larger  than  the  stated  confidence  coefficient. 


~  jfT) 


TABLE  31  COilFIDENCE  INTERVALS  FOR  MTEF  FROM  TIME  TERMINATED  TEST 


T 

.80 

.90 

.95 

.98 

N 

L 

U 

L 

U 

L 

U 

U 

2 

.261 

IS  66 

.200 

38.66 

139 

*3.66 

.  124 

193.7  1 

3 

.333 

5 . 326 

.263 

9 .736 

.  *  A  ' 

14.65 

,  174 

24.10  1 

4 

.385 

4 . 243 

.312 

5.947 

262 

3.09.3 

.  215 

11.31 

s 

.426 

3.386 

.352 

4  .517 

300 

5.362 

.  250 

3.043 

6 

.4S9 

2.915 

.385 

3.  *64 

.  331 

4.733 

.  230 

6.254 

7 

.487 

2.616 

.412 

3.293 

.333 

4 .061 

.  5CS 

3.216 

S 

.Sll 

2.407 

.436 

2.931 

.382 

3.609 

.  50S 

4.539 

9 

.531 

2.254 

.457 

2.750 

.403 

3.283 

.  349 

4.064 

10 

.549 

2.136 

2.575 

421 

3.042 

.  56? 

3.712  1 

11 

.565 

2.041 

.492 

2.436 

4  38 

2.352 

.  584 

3.441  1 

12 

.379 

1.963 

.507 

2.324 

.455 

2.692 

.  399 

5  *’06  ^ 

13 

.592 

1.901 

.521 

2.232 

.  467 

2.574 

.413 

5  .  C  5  C  ‘ 

14 

.604 

1.846 

2  .133 

.480 

2.469 

.  426 

2 . 904  ■ 

13 

.614 

1  .  800 

.£45 

2. os: 

492 

2 . 5*9 

,438 

2.781  1 

16 

.624 

1.759 

.536 

2 .025 

-  503 

0 . 500 

.4  49 

2 . 6  7  3 

17 

.633 

1.723 

.  565 

1.973 

.513 

2.255 

.460 

2.53i  I 

18 

.642 

1.692 

.  STS 

1.953 

.505 

2.1*6 

.  470 

2.803  1 

19 

.650 

1.663 

.383 

1.393 

.  550 

2  .  123 

.  479 

2.432 

20 

.637 

1.633 

.391 

1  .338 

.  340 

2 . 076 

.  4SS 

2.369  1 

21 

.664 

1 .613 

.399 

1  .3’5 

.543 

2.034 

.496 

2.3:3  1 

22 

.670 

1.594 

.606 

1.796 

1.996 

,504 

2.261  : 

23 

.676 

.015 

1  ^  ^ 

.  365 

1  .  .-6  i 

,  5: ' 

2 . 0 1 S 

24 

.632 

1.537 

.619 

1  .:-is 

.3*0 

1.929 

.518 

2.1*3  i 

2S 

.637 

1.540 

.625 

1.722 

.576 

1 . 900 

.325 

2.134  i 

26 

.692 

1.525 

.631 

1.7C1 

.582 

1.873 

.531 

2.098 

27 

.697 

l.Sll 

.636 

1.682 

.583 

..?'8 

5 

2.068  1 

28 

.702 

1.49S 

.  641 

1 . 664 

.  V  ?4 

1  ^:s 

.  5  -3  * 

0  .  5  5 

29 

.706 

1.436 

.646 

1.647 

.  5r9 

1  ,  55 

.  -4? 

2.C'0tj  • 

30 

.711 

1  .475 

.  6Si 

1.631 

i  .  “  5  5 

.  534 

1.880  ! 

3S 

.729 

1.427 

.672 

1.563 

.627 

1  639 

.  579 

1.3*0  . 

40 

.745 

1.390 

.390 

1.513 

.646 

1.633 

.  559 

l.*S3  i 

4S 

.758 

1.361 

.705 

1.4*6 

.662 

1 .3S3 

,61* 

1.-23  1 

SO 

.769 

1 .  S')? 

.718 

1.443 

.676 

1.544 

.632 

1.671 

60 

.787 

1.300 

.739 

1.393 

.700 

1.481 

,657 

1.591 

70 

.801 

1.272 

.756 

1.356 

.713 

1  .435 

.678 

1.333 

SO 

.813 

1.251 

.769 

1.328 

1  .734 

1.399 

i  .  695 

1.4S3 

100 

.831 

1.219 

.791 

1.286 

.758 

1  ,347 

1  .*22 

1.423 

For  N  >  100, 

L  i  (I  *  Z  .  A/5n) 

.  j  *  ir 

2 

in  which  Z 


-2 


U  i  (I  - 


.  5  •  V 

2 


/n/ZN)  ‘ 


■  .  S  *  Y 

T 

normal  distr’.bucion. 


is  the  (.5  ♦  ^)-th  percentile  of  the  scar.dord 
2 


8. 6. 1.3. 8  Goodness  ol"  Fit  The  null  hypothesis  that  a  nonhonogeneous  Poissor. 
process  with  an  intensity  function  of  the  form  yyst^  *1  properly  describes  the 
reliability  growth  of  a  particular  system  is  tested  by  the  use  of  a  Cramer-von 
Mises  statistic.  An  unbiased  estimate  of  the  shape  parameter  is  used  to  cal¬ 
culate  that  statistic.  This  estimate  of^is 


-  TT  ^ 

for  a  time  terminated  test  with  N  failure  occurrences.  The  estimate  ^is  des¬ 
cribed  as  the  point  estimate.  The  goodness  of  fit  statistic  is 


in  which  the  failure  times  must  be  ordered  so  that  0<XilX2^  ...<Xfj.  The 
null  hypothesis  is  rejected  if  the  statistic  exceeds”the  critical  value  for 
the  level  of  significance  selected  by  the  analyst.  Critical  values  of  for 
the  .20,  .15,  .10,  .05,  and  .01  levels  of  significance  have  been  computed 
and  are  in  Table  32.  The  table  is  indexed  by  a  parameter  labeled  f-i.  For 
time  terminated  testing  M  is  equal  to  N,  the  number  of  failures.  If  the  test 
rejects  the  reliability  growth  model,  an  examination  of  the  data  may  reveal 
the  reason  for  the  lack  of  fit.  Possible  causes  of  rejection  include  the 
occurrence  of  more  than  one  failure  at  the  same  time  of  the  occurrence  of  a 
discontinuity  in  the  intensity  function.  In  the  first  case,  an  appropriate 
procedure  may  be  to  group  the  data.  In  the  latter  case  the  data  should  be 
treated  as  a  discontinuity, 

8. 6. 1.3. 9  Failure  terminated  testing  The  procedures  described  in  this  sec¬ 
tion  are  applicable  to  tests  which  are  terminated  upon  the  accumulation  of  a 
specified  number  of  failures.  The  procedures  are  only  slightly  different  from 
those  used  fut  time  terminated  testing.  The  data  consists  of  the  li  failure  tines 
X-|,  Xo,  ...,  Xf.j  expressed  in  terms  of  cumulative  test  time  and  arranged  in 
nondetreasing  order. 

8.6.1.3.10  Point  estimation  The  method  of  maximum  likelihood  furnishes  point 
estimates  of  the  shape  parameter yS and  the  scale  parameter  A.  The  estimate  of  ^ 
is 


A  N 

^  '  '(N-"l)Yn  X-;  -  In  Xi 

i  =  l 

Note  that  this  is  equivalent  to  the  estimate  for  time  terminated  testing  with 
the  test  time  equal  to  the  time  of  occurrence  of  the  last  failure.  The  scale 


262 


parameter  Xi s  estimated  by 


as  before.  The  intensity  function  and  mean  time  between  failj^tes  are  estimated 
as  before.  For  small  sample  sizes  use  of  unbiased  estimator  ^is  advisable. 

8.6.1.3.11  Interval  estimation  An  interval  estirnate  of  the  mean  time  between 
failures  that  the  system  would  exliibit  in  the  absence  of  further  changes  is 
also  available  for  the  case  of  failure  terminated  testing.  Table  33  provides 
factors  for  the  const>^uction  of  two-sided  interval  estimates  of  the  MTGF  for 
several  values  of  the  confidence  coefficient  y.  The  smaller  number  correspond¬ 
ing  to  the  nuMiber  of  failures  and  desired  confidence  coefficient  is  divided  by 
the  poiriL  estimate  of  the  intersity  function  at  the  end  of  the  test  to  yield 
the  lower  limit  of  the  ir'terval.  Division  of  the  larger  value  by  the  intensity 
function  estimate  provides  the  upper  limit. 

8.6.1.3.12  Goodness  of  Fit  The  hypothesis  that  ttie  AMSAA  nicdel  is  appropriate 
can  be  tested  using  a  Cramer-von  Flises  statistic.  It  is  important  to  note  the 
jifterence  in  the  calculations  from  those  for  time-terminated  testing.  An  un¬ 
biased  estimate  of  the  shape  parameter  given  by 

1  --  N-2  ^ 


is  used  in  calculation  of  the  goodness  cf  fit  statistic.  The  parameter  for 
indexing  that  statistic  is  M  which  is  one  less  than  D,  the  number  of  failures. 
The  Cramer-von  Mises  statistic  is  then 

&  2 
f'!  /Xi\-  2i-l 

^  -w 

M  TW  i  =  l  J 


Table  32  provides  critical  values  for  use  in  the  test.  The  model  is  deemed 
inappropriate  if  the  statistic  C|^  exceeds  the  critical  value  for  some  specified 
level  of  significance  01 , 

0.6,1.3,13  Grouped  data  It  may  happen  that  an  event  included  within  the  scope 
of  the  definition  of  the  tenir  "failure"  does  not  preclude  the  operation  of  the 
equipment.  It  is  possible  that  such  events  are  not  uncovered  until  a  thorough 
inspection  is  conducted.  Iii  this  case  the  exact  time  of  the  failure  is  unknown; 
however,  one  can  presume  thaf  it  happened  in  the  interval  since  the  last  in¬ 
spection.  The  total  number  uf  failures  in  the  interval  between  inspections 


is  therefore  the  sum  of  the  number  of  failures  detected  at  the  time  of  occur¬ 
rence  and  the  number  of  failures  found  in  the  inspection.  Such  totals  for  each 
interval  can  be  used  to  estimate  reliability  growth  in  accordance  with  the 
At'iSAA  model  if  there  are  at  least  three  intervals. 

8.6.1.3.14  Point  estimation  from  grouped  data  The  data  consists  of  the  total 
number  of  failures  in  each  of  K  intervals  of  test  time.  The  first  interval 
starts  at  test  time  zero.  The  intervals  do  not  have  to  be  of  equal  length. 
Denote  the  number  of  failures  in  the  interval  from  ti-i  to  ti  by  ni.  By  con¬ 
vention  to  is  equal  to  zero.  The  maximum  likelihood  estimate  of  the  shape 
parameter yS  i s  the  value  which  satisfies 


A 

ti  In  ti 


-  ti-l  In  ti-l 


In  tK 


in  which  to  In  to  is  defined  as  zero.  This  nonlinear  equation  can  be  easily 
solved  by  any  of  several  iterative  procedures.  The  scale  parameter  estimate 
is 

K 

A  r  ni 

k  ~  i  =  l 


which  corresponds  to  the  result  for  testing  when  all  failure  times  are  known 
with  the  exception  that  the  estimate  of/Jis  calculated  differently.  Point 
estimates  of  the  intensity  function  and  the  mean  time  between  failures  are 
calculated  as  explained  for  point  estimates. 

8.6.1.3.15  Goodness  of  Pit  A  chi-squared  goodness  of  fit  test  can  be  used 
to  test  the  hypothesis  that  the  AMSAA  reliability  growth  model  adequately 
represents  a  set  of  grouped  data.  The  expected  number  of  failures  in  the  in¬ 
terval  from  ti-l  to  ti  is  approximated  by 


ei  4 


- 


Adjacent  intervals  may  have  to  be  combined  so  that  the  expected  number  of  fail¬ 
ures  in  any  combined  interval  is  at  least  five.  Let  the  number  of  intervals 
after  this  combination  be  K  and  let  the  number  of  failures  in  the  i-th  inter¬ 
val  be  Ni.  furthermore,  let  ei'be  the  expected  number  of  failures  in  the  i-th 
new  interval.  Then  the  statistic 


266 


K 
X 
i  =  l 


2 


is  approximately  distributed  as  a  random  variable  with  K-2  degrees  of 
freedom.  The  critical  values  for  this  statistic  can  be  found  in  tables  of 
the  chi-squared  distribution. 

8.6.1.3.16  Discontinuities  in  the  intensity  function  The  simultaneous  in¬ 
troduction  of  several  design  changes,  a  change  in  emphasis  in  the  reliability 
program,  or  some  other  factor  may  cause  an  abrupt  change  in  the  intensity  func¬ 
tion.  Such  a  jump  should  be  detected  by  a  departure  from  linearity  in  the 

full  logarithmic  plot  of  cumulative  failures,  a  large  change  in  the  level  of  the 
average  failure  frequency,  or  rejection  of  the  model  by  a  goodness  of  fit  test. 

8.6.1.3.17  Location  of  discontinuity  The  cumulative  test  time  at  which  a 
discontinuity  has  occurred  can  be  determined  by  inspection  from  graphs  of  cumu¬ 
lative  failures  or  average  failure  frequency.  The  methods  presented  above  can 
then  be  used  to  estimate  the  intensity  function  by  use  of  different  parameters 
for  the  period  before  the  jump  and  for  the  period  after  the  jump.  That  is, 

if  the  discontinuity  occurs  at  time  Tj,  then  the  intensity  function  is  estimated 


A 

A  A  A  ^1-1 

P  (t)  =  Xi  13  It 

A  (3  p-] 

--  ^2^^2(t-Tj)  ^ 


0  <  t  <  T' 


t  >  T 


in  which  \]  and  0]  are  estimated  only  from  failures  on  or  before  Tj  and  \2 
and  02  estimated  from  those  failures  occurring  after  Tj.  Only  the  second 
of  these  equations  is  needed  to  estimate  the  currently  achieved  value  of  the 
intensity  function. 

8.6.2  farly  Reliability  Growth  Evaluation 

The  modeling  of  early  reliability  growth  by  using  differential  equations  is  a 
very  useful  technique  for  determining  and  reflecting  known  underlying  failure 
mechanisms  which  are  contributing  to  reliability  growth. 

The  IBM  differential  equation  growth  model  advanced  by  Rosner  (Reference  59) 
is  highly  useful  in  that  it  is  one  of  the  few  models  addresssing  bu'-n-in  and 
screening  effects.  The  model  takes  into  account  the  nonlinearity  of  early 
growth  and  incorporates  very  plausible  assumptions. 


267 


The  IBM  tr.oael  assumes,  explicitly,  that:  1)  there  are  random  (constant  inten¬ 
sity  function)  failures  occurring  at  rate  X,  and  2)  there  are  a  fixed  but  un¬ 
known,  number  of  nonrandom  design,  manufacturing  and  workmanship  defects  pre¬ 
sent  in  the  system  at  the  beginning  of  testing.  Let  [i(t)  be  the  nunber  of  non- 
random  type  defects  remaining  at  time  t^O.  This  model  makes  the  inti.ii ti vely 
plausible  assumption  that  the  rate  of  change  of  IJ(t)  with  respect  to  time  is 
proportional  to  the  number  of  nonrandom  defects  remaining  at  t.  That  is, 

d  N(t)/dL  =  -K2N(t) 


and  hence 


N(t)= 

Now  if  we  denote  tfie  unknown  number  of  nonrandom  failures  present  at  t-0  by 
K]  then 

M(t)  =  K^e  t  >0,  Kl ,  K2>0 

Defining  V(t)  to  be  the  expected  cumulative  number  of  failures  up  to  time  t 
then 

V.'t)  =  ;^t  +  Kl  (l-e"^2t  X 

Thus,  the  expected  cumulative  number  of  failures  by  time  t  is  the  expected 
number  of  random  failures  by  time  t  plus  the  expected  number  of  nonrandom 
failures  removed  by  time  t.  It  should  be  noted  that  V(o)  =  0  as  expected. 
Moreover,  as  t  — oo,  V(t)-At  +!(]->  At as  expected. 

Because  of  the  nonlinearity  ot  the  model,  the  estimation  of  a  ,  Ki  ano  Kj  must 
be  evaluated  by  iterative  methoas.  One  method  of  solution  is  a  nonlinear 
estimation  computer  program  based  on  a  methodology  developed  by  G.E.P.  Box. 

There  are  some  extremely  nice  features  of  this  model.  In  addition  to  being 
"plausible",  the  most  interesting  feature  is  the  ability  of  the  model  to  pre¬ 
dict  the  time  when  the  systeci/equiprient  is  "q"  fraction  debugged  (i.e.,  a 
fraction  of  the  original  Ki  nonrandomi  failures  have  been  removed,  0<q<l). 
The  number  of  nonrandom  defects  removed  by  time  t  is  clearly 

N(0)  -  ('.(t)  =  Kl  -  Kie'^?^ 

and  hence  the  fractior-:  (of  Kj  initial  nonrandom  defects)  removeu  by  ti-ne  u  is 


Thus  having  estimated  Kj,  say  !T2,  we  can  find  the  tine  at  wh'ch  q  =  C.95  of  the 
nonrandom  defects  have  been  removed  by  solving  for  tQ_g5.  That  is, 

t.95  =  -In  0.05 


In  general,  for  arbitrary  q,  0<q<l  the  time  by  which  the  system/equiprrent 
is  q  fraction  debugged  is 


tq  =  j_ln_  (l-q) 

A 

K2 

This  equation  is  a  powerful  tool  because  it  can  be  used  to  help  determine  the 
length  of  development  testing,  or,  the  debugging  period. 

Another  important  feature  of  the  model  is  that  the  number  of  nonrandom  failures 
remaining  at  time  t  can  be  estimated  and  of  course  is  Kie"^2t.  Ihe  estimate 
of  A,  say  X,  gives  the  estim.ate  of  the  long-run  achievable  MTBF. 

Ihe  differential  equation  model  is  used  to  develop  reliability  growth 
information  on: 

a.  Number  of  failures  to  be  expected  during  any  period  of  test  or 
operating  time. 

b.  State  and  effectiveness  of  the  CERT  test  phase  in  removing  early 
fai lures. 

c.  State  and  effectiveness  of  the  production  screening  test  phase 
in  removing  early  failures. 

d.  An  estimated  reliability  for  the  control  equipment  during  field 
operation . 


269 


SECTION  IX  ACCELERATED  STRESS  TESTING 


9.1  Introduction 

The  accelerated  stress  testing  of  semiconductor  devices  is  of  paramount  import¬ 
ance  in  that  it  provides  the  following; 

a.  Information  for  the  determination  of  device  failure  rates. 

b.  Information  necessary  for  devising  a  suitable,  low  cost,  screening 
method  to  eliminate  defective  devices. 

c.  Parameter  characterization  in  life  use  to  enable  recognition  of  sen¬ 
sitive  parameters  for  reliability  predictions. 

d.  Life  testing  data  indicating  median  life,  in  order  to  obtain  highly 
reliable  parts. 

e.  Information  regarding  the  life-limiting  failure  modes  and  mechanisms 
for  reliability  studies. 

Microcircuit  life  testing  under  electrical  bias  and  at  temperatures  in  excess 
of  150°C  has  been  shown  to  be  a  valid  means  of  both  identifying  life-limiting 
failure  modes  and  relating  those  modes  to  their  associated  use- temperature 
lifetimes.  This  test  plan  was  designed  to  identify  failure  modes  and  mechanisms 
in  microcircuits  in  order  to  establish  failure  rates  and  median  life,  and  to 
develop  a  sc'^eening  method  that  could  be  used  for  the  procurement  of  high  relia¬ 
bility  microcircuits  for  electronic  engine  fuel  controls. 

The  program  entailed  various  phases  performed  by  several  separate  organizations. 
Hamilton  Standard  was  responsible  for  procuring  the  test  microcircuits  from  the 
device  manufacturer.  McDonnell  Douglas  Astronautics  Company  -  St.  Loui-  (MDAC- 
St.  Louis)  performed  the  bias  circuit  evaluation  and  the  high  temperature  ac¬ 
celerated  life  tests.  Hamilton  Standard,  in  conjunction  with  United  Technolo¬ 
gies  Research  Laboratory,  was  responsible  for  detailed  analysis  of  failed 
devices  and  Hamilton  Standard  was  responsible  for  data  reduction/analysis  and 
final  program  documentation. 

Guidance  in  test  program  definition  and  content  was  provided  from  the  knowledge 
and  experience  of  Bell  Telephone  Laboratories  at  Allentown  (Mr.  Conrad  H. 

Fierdt,  Jr.)  and  the  Rome  Air  Development  Center  (Mr.  Clyde  Lane). 

The  cost  of  accelerated  stress  testing  is  dependent  ori  non-recurring  cost, 
capital  equipment  cost  and  recurring  costs  spread  over  the  quantities  of 
parts  tested.  For  a  uuanlity  of  ?50  pieces  the  total  cost  of  accelerated 
stress  testing  was  approximately  S125/component.  Recurring  costs  alone, 
for  the  quantities  typically  associated  with  electronic  engine  controls, 
are  expected  to  fall  in  the  ballpark  of  SI. 00  to  $1,50  per  component. 


9.2  Test  Program 


The  Test  Program  flow  and  Sequence  >s  shown  in  Figure  99. 

The  device  used  for  the  test  plan  was  a  Motorola  MC14163B  CMOS  counter,  pro¬ 
cessed  in  accordance  with  MIL-STD-883B,  Method  5004  Class  B.  This  device  is 
a  synchronous,  programmable,  4  bit,  binary  counter  with  synchronous  clear.  It 
was  selected  for  the  following  reasons: 

a.  It  possesses  a  circuit  complexity  representative  of  that  contained 
in  integrated  circuits  incorporated  in  the  current  state-of-the-art 
electronic  fuel  controllers. 

b.  The  generic  family  has  been  in  production  for  an  extended  period 
attesting  to  the  stability  of  the  manufacturing  process. 

c.  It  is  adaptable  for  accelerated  test  conditions. 


9.2.1  Faci 1 i ty  Eval uation 

MDAC  -  St.  Louis  was  the  facility  choosen  to  perform  the  necessary  testing  for 
the  following  reasons: 


a.  The  facility  possesed  adequate  equipment  and  lab  facilities  for  high 
temperature  testing. 


b.  The  personnel  had  demonstrated  from  previous  work  in  this  area  that 
they  had  the  technical  expertise  to  perform  all  phases  of  the  pro¬ 
gram. 


c.  The  personnel  had  demonstrated  familiarization  with  the  statistical 
nature  of  data  obtained  from  accelerated  tests  from  past  experience 
in  this  area.  This  would  be  very  instrumental  in  the  correspondence 
of  the  necessary  data  and  the  reporting  of  results  to  Hamilton  Standard. 


Some  of  the  equipment  used  at  MDAC  -  St.  Louis  was: 


a.  A  Tektronix  S3260  circuit  tester  for  automatic  testing  with  parametric 
povotout.  This  tester  was  calibrated  at  regularly  scheduled  intervals 
and  operated  by  personnel  highly  qualified  and  familiar  with  this 
device. 


b.  Special  circuit  boards,  connectors  and  sockets  along  with  interconnect¬ 
ing  wires  and  resistors  to  enable  operation  at  temperatures  in  excess 
of  200Oc. 


c.  Special  high  temperature  chambers  that  utilized  rack  mounting  of  assem¬ 
blies  containing  the  devices  under  test. 


271 


VISUAL  INSPECTION 
AND 

HERMETICITY  TESTS 


E-5681 


FIGURE  99  TEST  PROGRAM  FLOW 


9 . ? . 2  Initial  Inspections  and  Tests 

Upon  receipt  at  MDAC-St.  Louis  the  Motorola  MC14163B  devices  were  subjected  to 
a  visual  inspection  performed  per  MIL-STD-883B ,  Method  2009.1.  In  addUion, 
all  devices  were  subjected  to  fine  and  (jross  leak  tests  per  MIL-STD-883B, 

Method  1014.2,  Conditions  A1  and  C2,  respectively.  The  purpose  of  these  exam¬ 
inations  was  the  elimination  of  devices  with  shipment  induced  damage.  No  dam¬ 
age  was  observed  in  the  visual  inspection  and  all  devices  passed  the  hersieti- 
city  tests. 

All  devices  were  then  subjected  to  i'.i'i.ii  electrical  testing  at  i.sii.u 
a  lektronix  S-326C  Automated  Test  System.  The  electrical  tests  were  performed 
to  establish  a  data  base  for  the  test  program  and  to  correlate  the  measure¬ 
ments  obtained  on  the  MDAC-St.  Louis  S-3260  test  equipment  with  the  manufacturer's 
test  data.  The  electrical  tests  inc’-'ded  both  dc  parametric  tests  and  functional 
tests,  .-'i ,  -■!  Ji .'  contains  a  descrii  f  the  tests  including  test  conditions, 

end  point  limits  and  the  truth  tabV  •>  for  functional  testing.  No  fail¬ 

ures  resulted  from  the  initial  elec.,-i  ..^ts,  ard  good  correlation  was  noted 
between  the  MDAC-St.  Louis  and  manufr  provided  parametric  dati, 

9.2.3  Bias  Ci rcuit  Evaluation 

Prior  to  initiacing  the  bias  circuit  evaluation,  MDAC-St.  Louis  performed  a 
construction  wa luat  iur,.  Th'?  ■..•as  .-Ir; c-rm-ine  if  lue  oevices  contained 

materials  or  construction  features  that  would  preclude  their  operation  at  the 
temperatures  specified  in  the  Test  Plan.  The  results  of  this  evaluation  are 
summarized  in  Ai^penuix  r.  They  reveal  no  materials  nor  construction  features 
that  would  limit  testing  below  250°C. 

Following  the  construction  evaluation,  a  bias  circuit  evaluation  was  performed 
to  determine  tl’.e  suitability  of  the  selected  bias  circuit,  shown  in  '■  igur'-  136, 
for  high  tei.pcrature  accelerated  life  tests.  This  evaluation  was  accomplished 
in  three  parts.  First,  a  preliminary  bias  circuit  evaluation  was  performed. 

Next,  the  formal  bias  circuit  evaluation,  in  compliance  with  the  Test  Plan, 
was  conducted.  Finally,  the  formal  bias  circuit  evaluation  v/as  continued  at 
higher  ambient  temperatures  to  obtain  additional  data. 

The  preliminary  bias  circuit  evaluation  utilized  two  test  devices.  This  was 
done  to  limit  the  number  of  devices  that  would  be  destroyed  1n  the  event  of  a 
catastrophic  failure  mode  at  the  temperatures  of  interest.  ^^The  devices  were 
operated  at  ambient  temperatures  from  ISO^^C  to  250^C,  in  25  C  increments,  for 
approximately  30  minutes  at  each  temperature.  No  probloms  were  found  that 
would  have  required  a  test  plan  change.  This  evaluation  demonstrated  that  the 
devices  remained  functional  at  ambient  temperatures  up  to  25C‘'C. 


Th3  formal  bias  evaluation  was  subsequently  performed  in  accordance  with  the 
Statement  of  Work.  Five  devices  were  operated  in  the  Figure  100  bias  config¬ 
uration  at  each  of  the  three  specified  ambient  temperatures  (150°C,  175°C,  and 
200 °C).  The  power  supply  current  and  the  sum  of  the  six  high  input  currents 
were  monitored  and  recorded  when  the  devices  reached  the  ambient  temperature, 

15  minutes  thereafter  and  at  1  hour,  2  hours  and  4  hours.  In  addition,  the 
Outputs  of  each  device  were  monitored  periodically  with  an  oscilloscope.  The 
results  of  this  testing  are  included  in  Table  34,  Bias  Circuit  Evaluation 
Summary.  All  devices  remained  functional  and  none  exceeded  the  specified  sup¬ 
ply  current  limit  of  600  //a,  or  the  input  current  limit  of  1.0  )Ua.  With  the 
exception  of  the  data  points  noted,  the  Table  34  results  indicate  good  device 
stability  after  thermal  equilibrium  is  reached.  The  devices  were  cooled-down 
under  bias  after  each  4  hour  step  and  underwent  electrical  testing.  This  test¬ 
ing  indicated  that  the  selected  bias  circuit  was  non-destructive  at  the  speci¬ 
fied  ambient  temperatures  and  was  suitable  for  the  high  temperature  accel¬ 
erated  life  tests. 

The  bias  circuit  evaluations  were  continued  at  higher  anibient  temperatures  until 
an  ambient  temperature  was  reached  at  whicn  the  devices  would  not  function 
properly.  Five  devices  were  operated  at  225'"C,  five  at  250'’C,  and  five  at  275°C 
The  results  of  the  BES'C  and  250'‘C  steps  are  included  in  Table  34.  At  275°C 
the  output  signals  were  severly  degraded  and  the  evaluation  was  discontinued. 
Although  all  devices  remained  functional  at  the  225°C  and  250°C  ambient  temp¬ 
eratures,  three  devices  at  225°C,  and  all  five  at  250°C,  exhibited  a  supply 
current  in  excess  of  the  specified  600  A  while  the  input  currents  remained 
witliin  the  l^A  limit.  Subsequent  electrical  parametric  and  functional  testing 
indicated  negligible  device  degradation. 

Based  on  the  results  of  the  bias  circuit  evaluation,  it  was  concluded  that  the 
long  term  (2,000  hour)  accelerated  life  tests  could  be  safely  conducted  at  the 
specified  ambient  temperatures  of  IBO^C,  175°C  and  200‘C.  It  was  also  con¬ 
cluded  that  life  testing  could  be  safely  conducted  at  ambient  temperatures  as 
high  as  250°C.  After  a  review  uf  the  device  characteristics  with  the  manufac¬ 
turers,  and  through  correspondence  with  our  technology  transfer  agents,  it  was 
discovered  that  a  potential  latch-up  problem,  and  possibly  others,  would  occur 
above  200’C.  The  200°C  maximum  test  temperature  was  determined  to  be  adequate 
for  the  test  and  it  insured  that  no  test  induced  failure  mechanisms  would  result 

9.2.4  High  Temperature  Accelerated  Life  Tests 

The  high  temperature  accelerated  life  tests  were  performed  at  the  three  selected 
ambient  temperatures  (150°C,  175°C,  and  200’C'  -for  2,000  hours.  Each  test  cell 
contained  thirty  devices  which  were  biased  in  the  Figure  100  configuration. 
Periodically  during  the  life  tests  the  devices  were  cooled-down  under  bias  for 
interim  electrical  testing.  The  interir:  electrical  tests  were  the  same  as  the 
initial  electrical  tests  and  are  described  in  detail  in  Appendix  E. 


274 


TABLE  34  BIAS  CIRCUIT  EVALUATION  SUMMARY 


Temperature 

Readout 

Time 

Supply  ,y. 

Current  ( u  A)  ' 

Input  /p 

Current  (nA)  ''  ' 

ISQOc 

0 

67  (2i 

4 

15  MINUTES 

145 

4 

1  HOUR 

146 

4 

2  HOURS 

147 

5 

4  HOURS 

147 

5 

1  75OC 

0 

161 

18 

15  MINUTES 

171 

30 

1  HOUR 

175 

31 

2  HOURS 

175 

32 

4  HOURS 

175 

32 

200°C 

0 

269 

97 

15  MINUTES 

278 

100 

1  HOUR 

282 

101 

2  HOURS 

282 

99 

4  HOURS 

284 

99 

225*^0 

0 

647 

194 

15  MINUTES 

586 

262 

1  HOUR 

596 

268 

2  HOURS 

597 

269 

4  HOURS 

598 

272 

250  C 

0 

1490 

480 

15  MINUTES 

1720 

527 

1  HOUR 

1750 

533 

2  HOURS 

1750 

535 

4  HOURS 

1750 

395 

NOTES; 

ri  -  Averajp  of  five  devices 

^3)  An  adjustment  in  the  Vdd  and  clock  high  level  voltage  was 
required  following  this  measurement  accounf'ng  for  this 
low  reading 

(3'i  This  reading  is  in  error  due  to  an  offset  voltage  shift  in 
the  DVM,  Subsequent  electrical  testing  indicated  no  input 
degradation. 


276 


The  interim  electrical  test  tin-es  were  4,  8,  15,  32,  64,  12S,  256,  512,  1,000 
and  2,000  hours.  A  control  sample  of  ten  devices  was  also  tested  at  each  in¬ 
terim  readout  to  verify  the  long  term  stability  of  the  automated  test  equipment. 

No  device  failures  were  generated  by  any  of  the  accelerated  life  tests.  In 
addition,  no  device  exhibited  parametric  change  that  would  indicate  device  de¬ 
gradation,  as  shown  in  Table  35. 

9.3  Conclusion  and  Results 

The  Interim  electrical  test  data  was  reviewed  throughout  the  high  temperature 
accelerated  life  tests  to  identify  both  failed  devices  ana  specific  parameters 
that  exhibited  drift.  As  an  additional  data  evaluation  tool,  summaries  of  the 
parametric  data  were  generated  for  each  test  group  and  at  each  interim  readout. 
The  data  included  means,  standard  deviations,  and  maximum  and  minimum  values  for 
each  parameter.  Those  measurements  that  were  performed  on  several  inputs  or 
outputs  were  combined  for  this  evaluation.  The  initial  and  final  means  and  the 
standard  deviations  for  the  device  parameters  in  the  three  test  groups  are  in¬ 
cluded  in  Table  46.  The  initial  values  were  computed  using  the  specific  intial 
data  of  the  devices  which  comprise  the  various  test  groups.  It  can  be  seen  that 
no  important  changes  were  observed  as  a  result  of  the  life  tests.  A  single  de¬ 
vice  (S/N  52)  in  the  175°C  group  exhibited  a  large  I^^  (  when  measured 

at  Vq[)  =  15.0  V,  resulting  in  a  high  mean  and  sigma  value  for  that  group.  This 
measurement  was  high  when  initially  tested  by  MDAC-St. Louis  as  well  as  when 
the  manufacturer  tested  the  device.  This  current  remained  relatively  constant 
throughout  the  life  test  and  was  well  within  the  specified  en(j  point  limits. 

The  failures  versus  time  data  was  instrumental  in  determining  the  median  life 
and  reliability  level  of  the  devices  tested.  No  failures  were  obtained  for  up 
to  2,000  hours  (?  200°C.  This  data  was  indicative  of  a  highly  reliable  lot  of 
devi ces , 

In  applying  the  failure  data  obtained  to  the  lognormal  distribution  and  Arrien- 
ius  curves,  the  following  relationships  apply. 

a.  The  median  life  of  the  devices  under  test  is  greater  than  the  time 
obtained.  With  no  failures  to  2,000  hours,  at  200°C,  this  extra¬ 
polates  to  no  failures  in  approximately  4  X  109  hours  at  25*^0  using 
a  1.0  oV  slope  on  truj  Arrlienius  curves  icharacteristic  of  CMOS  devices). 
The  median  life  is  greater  than  4  x  10^  hours  at  25^C  as  no  failures 
were  obtained  at  this  point. 


L  !  i 


TABLE  35  PARAMETRIC  TEST  SUMMARY 


b.  The  failure  distribution  of  the  devices  can  be  obtained  by  further 
analysis.  The  standard  deviation  (ff  )  parameter  was  not  obtained  as 
a  result  of  the  lack  of  failures.  However,  using  an  assumed  a  that 
is  characteristic  of  CMOS  devices,  the  median  life  and  failure  dis¬ 
tribution  can  be  obtained  after  only  a  few  percent  of  failures.  The 
slope  of  the  lognormal  cdf  curve  corresponding  to  c  will  also  provide 
the  50%  median  life  point  and  other  failure  points.  The  50%,  or 
greater,  failures  data  Is  needed  to  fully  determine  the  exact  values 
of  median  life  and  a  of  each  group  of  devices.  At  125°C,  the  extra¬ 
polated  value  of  2,000  hours  at  200°C  is  2.5  x  10^  hours. 

The  accelerated  tests  and  resultant  data  indicated  that  the  CMOS  devices  used 
were  highly  reliable.  Other  characteristics  of  these  devices  are  indicated  by 
the  values  of  the  parameters  that  were  actually  obtained.  In  particular,  the 
values  of  the  leakage  currents  (approximaiely  100  nA  025°C)  were  far  below  the 
maximum  specified,  value  of  5.0/iA  by  the  manufacturer.  The  amount  of  drift 
of  this  parameter  was  small  as  indicated  In  Table  35.  The  low  values  for 
leakage  currents  correspond  to  the  values  that  would  be  used  in  MIL-M-38510 
for  CMOS  devices. 

In  closing.  It  was  found  that  accelerated  stress  testing  has  demonstrated  that 
reliable  CMOS  devices  are  obtainable  and  the  data  obtained  is  useful  for 
screening  processes  and  reliability  indicators. 


279 


SECTION  X  COST  OF  OWNERSHIP  STUDY  FOR  RELIABILITY 
ADVANCEMENT  OF  ENGINE  ELECTRONIC  CONTROLLERS 


10.1  Introduction 

A  liriiited  Cost-of-Ownersh i D  Study  of  Candidate  Prel itriinary  Designs  was  perforfped 
as  part  of  a  digital  electronic  control  system  design  study  to  determine  guide¬ 
lines  for  Reliability  Advancement  of  Electronic  Engine  Controller  (RAEEC).  The 
scope  of  this  cost  study  was  guided  by  the  program  directive  that  primary  emphasis 
shall  be  given  to  achievement  of  the  controller  MTBF  goal  reronrizing  that  cost, 
performance,  weight  and  volume  limits  must  be  observed.  Therefore,  the  cost  of 
ownership  study  represents  a  small  part  of  the  total  program  and  indicates  trends 
and  guidelines  based  on  the  analysis  of  "preliminary  designs." 

A  fundanerital  reason  t'or  Cost-ot  Ownership  Investigation  during  the  oesign  o^' 
weapon  systems,  subsystems  and  equipment  is  to  influence  the  decision  process 
to  insure  the  production  of  hardware  v/hicii  will  satisfy  reliability  and  opera¬ 
tional  requirements  for  the  lowest  total  cost  of  ownership.  The  program  des¬ 
cribed  herein  estimates  the  expected  support  costs  that  may  be  incurred  by  adopt¬ 
ing  a  particular  design.  The  model  is  also  used  to  compare  and  discriminate 
among  design  alternatives  where  relative  cost  difference  and  cost  trend  is  an 
important  figure  of  merit. 

The  input  for  the  Cost-of-Ownership  Study  was  based  on  the  controller  reliability 
ittiprovements  evolved  by  the  RAEEC  study.  This  study  identified  reliability  im¬ 
provements  in  eight  catagories.  The  overall  controller  mean  time  between  un¬ 
scheduled  removal  (MTBUR)  was  assessed  for  the  addition  of  each  reliability  im¬ 
provement  feature.  The  acquisition  cost  was  also  incremented  to  show  the  cost 
effect  of  the  reliability  Improvement  along  with  the  specific  cost-to-repai r 
information.  This  input  was  then  modeled  with  the  life  cycle  cosf  (LCC;  com¬ 
puter  deck  to  evaluate  the  overall  Cost-of-Ownership  effecr.. 

10.2  Objective 

The  specific  objective  of  the  Cost-of-Ownership  Study  was  the  determination  of 
advanced  controller  life  cycle  costs  for  various  degrees  of  increased  reliability. 
Previous  studies  of  controller  improvement  have  indicated  cost  benefits  derived 
from  the  "Self-Trim"  aspect  of  advanced  controllers.  Cost  savings  resulting 
from  the  "Self-Trim"  feature  are  primarily  in  the  area  of  reduced  engine  spare 
parts  costs  and  an  increase  in  the  engine  flight  hours  to  operating  hours  ratio. 
(See  Appendix  F},  The  present  study  examines  degrees  ot  increasing  cost-effec¬ 
tiveness  resulting  from  increased  reliability,  until  an  optimum  point  is  reached. 

10.3  Sunimary 

Current  engine  controllers,  with  little  inherent  redundancy,  exhibit  reliability 
values  of  about  1500  hr  operating  time  between  failures  (repairs).  In  this  study, 
i!.crei:iental  increases  in  reliabilit.y  are  predicted  for  specific  improvements  in 


260 


component  technology  and  operating  philosophy  for  several  advanced  controllers. 
Each  of  these  improvements  involves  an  initial  acquisition  cost  increase  but 
results  in  decreased  support  costs  over  the  useful  life  of  the  controller.  The 
cumulative  effects  of  increased  reliability  result  in  decreasing  total  LCC  due 
to  fleet-wide  reductions  in  the  frequency  of  removal  and  repair  of  controllers. 
However,  a  point  of  diminishing  returns  is  generally  seen  in  any  attempt  to  con¬ 
tinually  increase  the  reliability  aspects  of  each  type  of  controller. 

In  general,  reliability  improvement  to  a  level  of  about  ten  thousand  (10,000) 
hours  between  controller  repair  is  seen  to  result  in  a  significant  decrease  in 
operating  and  support  costs  over  a  15-yr  operational  life,  with  a  relatively 
small  increase  in  acquisition  cost.  The  greatest  decrease  in  support  r  and 
consequently  total  cost,  occurs  as  reliability  improvement  approaches  ti. .  "  000 

hr  level.  This  encompasses  essentially  the  first  five  incremental  rel iei' . , . ty 
improvements  of  the  eight  levels  of  imprcvenient  under  consideration.  Beyond 
that  point  of  reliability  achievement,  the  considered  reliability  improvements 
(selected  redundancy,  component  and  assembly  screens)  indicate  a  three-fold  in¬ 
crease  in  hours  between  unscheduled  control  removal  (30,000  +  hr),  but  produce 
diminishing  support  cost  reductions  which  do  not  offset  the  increased  acquisition 
cost  for  the  specific  improvements.  The  total  LCC  therefore  increases  with  in¬ 
troduction  of  these  latter  improvements. 

The  diminished  benefits  of  increased  reliability  take  on  increased  significance 
when  viewed  in  relation  to  the  usefulness  of  the  increase  to  total  engine  life. 

As  reliability  of  the  particular  controller  increases  beyond  the  useful  life  of 
the  eiigine  on  which  it  is  utilized,  the  value  of  increased  reliability  through 
incremental  improveiient  is  not  cost-effective  as  total  cost  of  additional  relia¬ 
bility  increases. 


10.4  Approach 


1 C . 4 . 1  Ground  Rules 

The  advanced  controller  Cost-of-Ownership  Study  was  based  on  incorporation  of 
controls  into  an  F-15  type  of  aircraft  powered  by  two  engines.  This  system 
was  chosen  as  a  baseline  for  the  study  because  of  availability  of  engine  and 
airframe  LCC  data,  particularly  engine  maintenance  costs. 

Specific  ground  rules  used  in  the  study  include: 

•  729  total  aircraft,  540  operational 

•  1674  engines,  including  spares 

•  Each  operational  A/C  flies  25  hr/month  for  15  years 


20 1 


•  Organizational  and  intermediate  level  labor  rate  is  $16.25 
per  man-hour;  depot  rate  is  $26.00,  unless  otherwise 
specified 

•  Fuel  cost  is  $0.45  per  gallon 

•  Current  Tactical  Air  Command  maintenance  concepts 

•  Constant  1978  dollars 

These  criteria  were  utilized  as  baseline  input  to  the  engine  LCC  model,  which 
collects  all  major  cost  elements  of  controller  operation  for  proper  assessment 
of  reliability  increase  within  the  control.  (See  Figure  101).  The  model  pro¬ 
duces  cost  projections  for  fleet-wide  incorporation  of  particular  control  con¬ 
figurations  at  specified  reliability  levels. 

10.4.2  System  Configurations 

The  LCC  model  was  exercised  for  four  advanced  control  configurations  which 
differ  in  degree  of  redundancy  utilized  in  controller  design.  The  four  con¬ 
trols  under  consideration  are; 

a)  Nonredundant  (Simplex) 

b)  Duplex  control 

c)  RAEEC  Control  -  Primarily  Duplex  with  selected  Triplex  functions 

d)  Triplex  control 

All  these  control  systems  have  the  design  capability  to  control  an  advanced 
variable  cycle  engine  and  operate  with  a  "self-trim"  mode. 

Each  control  type  is  evaluated  for  the  cost  of  eight  specific  reliability 
improvements,  each  representing  an  incremental  increase  in  reliability  from  the 
baseline  configuration. 

Each  control  was  first  configured  with  baseline  technology  which  was  that  of  the 
Full  Authority  Digital  Electronic  Control  (FADEC).  The  controls  were  then  re¬ 
designed  utilizing  the  following  eight  reliability  improvement  technologies; 

a)  Reduced  Voltage  CMOS 

b)  Improved  Ttiermal  Packaging 

c)  Improved  Vibration  Isolation 

d)  Improved  Component  Technology 

e)  Reduction  of  Interconnects 

f)  Selected  Redundancy 


282 


AIRCRAFT 

EFFECTIVENESS 


CN6INC/CONTROL 

CHARACTERISTICS 


system 

LIFE  CYCLE  COST 


AVAILABILITY 


-RELIABILITY 

•  MTBUM  ■  -  -  —  ■ 

•  mtbf  — — — — 

LIFE - 

MAINTAINABILITY 

—  •  DOWN  TIMC/CNGINE  PULL - 

—  •SPARE  ENGINC/CONTROL  AVAILABILITY  — ' 

SPARE  PARTS  - 


ON-EGUIPMENT  MAINTENANCE  — 
OFF-EQUIPMENT  MAINTENANCE- 
SUPPORT  EQUIPMENT  .  . 

FACILITIES' - 

TRAINING  - 

INVENTORY  MANAGEMENT  -  — 
TECH.  DATA 


OPERATING  COST 

•  MAINTENANCE 

•LABOR 
•  MATERIAL 

•  FUEL/LUBE 
MAJOR  SPARES 

•  ENGINE/CONTROLS 

•  AIRCRAFT 


SURVIVABILITY 


VULNERABILITY 


PERFORMANCE  ^ 

•  RANGE 

•  PAYLOAD 

•  SPEED 

•  MANEUVERABILITY 


THRUST 

SPECIFIC  FUEL  CONSUMPTION 
WEIGHT 

MFG  COST  - 


ATTRITION  COST 

•  UNCOMPLETED 
MISSIONS 

•  LOST  AIRCRAFT 


DEVELOPMENT  COST 
PROCUREMENT  COST 


E-2032 


FIGURE  101  LIFE  CYCLE  COST  ELEMENT^ 


g)  Component  Screening 
h;  Assembly  and  Test  Screening 

In  aolition  to  the  reliability  improverent  measure,  all  controls  were  packaged 
with  a  modular  construction.  This  packaging  change  was  implemented  with  the 
improved  thernial  package.  This  change  resulted  in  a  significant  difference  in 
maintenance  philosophy  because  90%  of  the  control  maintenance  could  now  be 
accomplished  at  the  intermediate  level.  This  has  been  reflected  in  the  repair 
costs  by  reducing  maintenance  man-hours  to  repair,  increasing  cost  of  parts  to 
repair,  and  reducing  overall  support  equipment  costs.  This  maintenance  phil¬ 
osophy  was  then  held  constant  for  the  remainaer  of  the  reliability  improvements. 

10.4.3  Major  Cost  Elements 

The  LCC  of  any  system  is  normally  divided  into  three  major  elements:  Research 
and  Development  (RS.D),  Acquisition,  and  Operations  and  Support  (O&S).  RS.L 
costs  for  the  subject  program  were  estimated  based  on  actual  RiD  costs  froni 
the  electronic  engine  control  for  the  JT9-D  engine.  Additions  were  made  to 
account  for  the  greater  complexity  of  the  basic  control  due  to  the  greater 
number  of  control  loops  and  control  functions  as  well  as  the  effect  of  redun¬ 
dancy  on  the  •'■'g,!:  costs. 

Acquisition  costs  were  estimated  from  parts  and  miaterial  lists  generated  for 
the  subject  program.  Recurring  manufacturing  costs  were  augmented  by  the  costs 
of  special  tooling  and  test  equipment  to  build  tlie  design  described  in  the 
report  section  describing  control  packaging. 

Operating  and  Support  Costs  were  calculated  usir  ■  the  Air  Force  Logistics  Com¬ 
mand  (AFLC)  Logistic  Support  Cost  Model  (reference  60).  The  support  niooel 
equation  elenents  are  listed  in  Figure  102.  This  study  was  directed  at  onlv 
those  cost  elements  affected  by  the  control.  These  are  equations  (1,2,  3, 

6,  and  7)  and  are  shown  in  Figures  103  thru  107.  Equation  5  for  costing  sup¬ 
port  equipment  was  replaced  witt'  a  total  cost  for  support  equipment  supplied 
by  Hamilton  Standard.  Equations  4,  8,  9,  and  10  were  deleted  from  the  study. 

The  terms  used  in  the  ESC  model  equations  are  defined  in  Table  36.  Values  for 
terms  which  were  held  constant  in  the  equations  are  also  defined  in  this  table. 
The  items  which  were  input  parameters  are  defined  in  Table  37  along  with  numer¬ 
ical  values  for  these  parameters. 

The  overall  electronic  control  reliability  factor,  MTBUR,  and  associated  cost 
were  supplied  by  Hamilton  Stanoatd  for  each  control  configuration.  These  in¬ 
puts,  coupled  with  specific  maintenance  and  support  costs  were  utilized  by 
the  Model  m  Equation  1  (Figure  103)  to  determine  the  differences  in  spare 


Equation 

(D 

@ 

@ 


© 

@ 

8 

9 


Cost  Ele:rient 
Pipeline  Spares 
On-Equipment  Maintenance 
Off-Equipment  Maintenance 
Inventory  Management 

Support  Equipment 
Personnel  Training 
Technical  Data 
Facilities 
Fuel 


10  Spare  Engines 


O  =  Equations  Used  in  this  Study 


Drivers 

MTBF,  Cost,  Fit  hr 

MTBF,  Fit  hr,  Labor  Rates 

MTBF,  Fit  hr,  CRTS,  Labor  Rates 

Deleted  -  Not  Impacted  by 
Study  Variables 

Replaced  With  HSD  Cost  Data 

MTBF,  Fit  hr.  Repair  Time 

MTBF,  Fit  hr,  Nc.  Pages 

3eleted-Not  Inpactec  by  Variables 
in  tills  Study 


FD 


FIGURE  102  USAF  LOGISTICS  SUPPORT  COST  MODEL 


235 


FIGURE  103  EQUATION  1  -  PIPELINE  SPARES 


FtGURE  104  EQUATrON2  -  ON-EQUIPMENT  MAINTENANCE 


Average  Intermediate  MMH 


FIGURE  105  EQUATIONS  -  OFF-EQUIPMENT  MAINTENANCE 


figure  106  EQUATION  6  -  PERSONNEL  TRAINING 


—I  ^ 


(A 

CA 

w 

3 

O 

£ 

c 

3 

CD 

o 

JC 

2 

c 

(A 

(0 

*o 

2 

</) 

tv 

o 

o 

(A 

*o 

0) 

3 

GC 

O 

o 

^  ■ 

£1 

o 

c 

C 

d) 

0) 

CQ 

cr 

e 

s 

>» 

o. 

<A 

a 

'5 

■o 

Q. 

o* 

3 

CO 

o 

o 

9 

J 

O 

cr 

0) 

o> 

CO 

cr 

3 

c 

w 

9 

a 

CO 

v> 

c 

o 

o 

•o 

c 

CO 

CO 

c 

O) 

*& 

w 

'w 

O 

O 

o 

(A 

9 

at 

CO 

CL 

CD 

CD  ^ 

Q  5 

1  I 

5|  I 


FIGURE  107  EQUATION  7  -  TECHNICAL  DATA 


TABLE  36  DEFINITION  OF  TERMS  IN  LSC  MODEL  EQUATIONS 


Equation 

Value 

Description 

BCMH 

Variable 

Average  man-hours  to  perform  a  shop  bench  check, 
screening  and  fault  verification  on  a  removed  FLU 
prior  to  initiating  repair  action  or  condemning 
the  item. 

BLR 

16.25 

Base  labor  rate. 

BMC 

Vari able 

Average  cost  per  failure  for  a  FLU  repair  at  base 
level  for  stocking  and  repair  of  lower  level  assem¬ 
blies  expressed  as  a  fraction  of  the  FLU  unit  cost. 

BHM 

Variable 

Average  man-hours  to  perform  intermediate-level 
(base  stop)  maintenance  on  a  removed  FLU,  including 
fault  isolation,  repair,  and  verification. 

BMR 

3.19 

Base  consumable  material  consumption  rate. 

CMRI 

400 

Combined  maintenance  removal  interval.  Average 
engine  operating  hours  between  removals  of  the  whole 
engine. 

COND 

0.0 

Fraction  of  removed  FLU's  expected  to  result  in  con¬ 
demnation  at  base  level. 

DLR 

26.00 

Depot  labor  rate. 

DMC 

Variable 

Same  as  BMH  except  refers  to  depot  repair  actions 

DMH 

Variable 

Same  as  BMR  except  refers  to  depot-level  maintenance. 

DMR 

5.19 

Same  as  BMR  except  refers  to  depot-level  maintenance. 

URCT 

1.48 

Weighted  average  depot  repair  cycle  time  in  months. 

EOH 

0.0 

Average  cost  per  overhaul  of  the  complete  engine  at 
the  depot  expressed  as  a  fraction  of  the  engine  unit 
cost. 

ERA 

2.0 

Number  of  engines  per  aircraft. 

ERMH 

0.0 

Average  man-hours  to  remove  and  replace  a  whole 
engine  including  engine  trim  and  run-up  time. 

291 


TABLE  36  DEFINITION  OF  TERMS  IN  LSC  MODEL  EQUATIONS  (Continued) 


Equation 

Value 

Description 

ERTS 

0.8 

Return  rate  for  engines;  fraction  of  removed  whole 
engines  which  are  returned  to  service  by  base 
maintenance. 

EUC 

'0.0 

Expected  unit  cost  of  a  whole  engine. 

IMH 

0.0 

Average  man-hours  to  perform  corrective  maintenance 
of  the  FLU  in  place  or  on-line  without  removal, 
including  fault  isolation,  repair,  and  verification. 

M 

7.0 

Number  of  intermediate  repair  locations  (operating 
bases) . 

MTBF 

Variable 

Mean  time  between  failures  in  operating  hours  of  the 
FLU  in  the  operational  environment. 

N 

1.0 

Number  of  different  FLU's  within  the  system. 

NRTS 

0.1  or  0.9 

Fraction  of  removed  FLU's  expected  to  be  returned 
to  the  depot  for  repair. 

OS 

0.0 

Fraction  of  total  force  deployed  to  overseas  loca¬ 
tions. 

PAHM 

1 .0 

Average  man-hours  expended  in  place  on  the  installed 
system  for  preparation  and  access  for  the  FLU. 

PFFH 

27,000 

Peak  force  flying  hours  -  expected  fleet  flying  hours 
for  one  month  during  the  peak  usage  period. 

PSC 

0.59 

Average  packing  and  shipping  cost  to  CONUS  locations. 

PSO 

1.22 

Average  packing  and  shipping  cost  to  overseas  loca¬ 
tions  . 

QPA 

1  .0 

Quantity  per  application. 

RIP 

0.0 

Fraction  of  FLU  failures  which  can  be  repaired  in 
place  or  on-line  without  renioval. 

RMFI 

7.0 

Average  man-hours  to  fault  isolate,  remove,  and  re- 

place  the  FLU  on  the  installed  systen  and  v.'fify 
restoration  of  the  systen:  to  operational  statiis. 


( 


TABLE  36  DEFINITION  OF  TERMS  IN  LSC  MODEL  EQUATIONS  (Continued) 


Equation 

Value 

Description 

RTS 

0.0 

Fraction  of  removed  FLU's  expected  to  be  repaired 
at  base  level . 

SMH 

12.0 

Average  man-hours  to  perform  scheduled  periodic 
or  phased  inspections  on  the  system. 

SMI 

300.0 

Flying  hour  interval  between  scheduled  periodic 
or  phased  inspections  on  the  system. 

STK 

0.0 

Required  for  each  base  to  fill  the  base  repair 
pipeline,  including  a  safety  stock  to  r.rjtect 
against  random  fluctuations  in  demand. 

TFFH 

4,860,000 

Expected  total  force  flying  hours  over  the  program 
inventory  usage  period. 

UC 

Variable 

Expected  unit  cost  of  the  FLU  at  the  time  of  ini¬ 
tial  provisioning. 

UF 

1.5 

Ratio  of  operating  hours  to  flying  hours  for  the 
FLU  (Use  Factor), 

W 


Variable 


FLU  unit  weight  in  pounds. 


TABLE  37  WEAPON  SYSTEM  INPUT  PARAMETERS 


Term 

Value 

Description 

EBO 

0.10 

Standard  established  for  expected  back  orders  -  the 
expected  number  of  unfilled  demands  existing  at  the 
lowest  echelon  (bases)  at  any  point  in  time. 

IMC 

46.60 

Initial  management  cost  to  introduce  a  new  line  item 
of  supply  (assembly  or  piece  part)  into  the  Air  Force 
inventory. 

M 

7.00 

Number  of  intermediate  repair  locations  (operating 
bases) . 

MRF 

0.24 

Average  man-hours  per  failure  to  complete  off-equip¬ 
ment  maititenance  records. 

MRO 

0.08 

Average  man-hours  per  failure  to  complete  on-equip¬ 
ment  maintenance  records. 

NSYS 

1.00 

Number  of  systems  within  the  weapon  system. 

OS 

0.0 

Fraction  of  total  force  deployed  to  overseas  loca¬ 
tions. 

OST 

0.394 

Weighted  average  Order  and  Shipping  Time  in  months. 

The  elapsed  time  between  the  initiation  of  a  request 
for  a  serviceable  item  and  its  receipt  by  the  re¬ 
questing  activity. 

PFFH 

27,000 

Peak  Force  Flying  Hours  -  expected  fleet  flying  hours 
for  one  month  during  the  peak  usage  period. 

PIUP 

15  yrs 

Operational  service  life  of  the  weapon  system  in  years 
(Program  Inventory  Usage  Period). 

PM8 

1704 

Direct  productive  man-hours  per  man  per  year  at  base 
level  (includes  "touch  time",  transportation  time, 
and  setup  time) . 

PMD 

1788 

Direct  productive  man-hours  per  man  per  year  at  the 
depot  (includes  "touch  time",  transportation  time, 
and  setup  time) . 

PSC 

0.59 

Average  pecking  and  shipping  cost  to  CONUS  locations. 

PSO 

1.22 

Average  packing  and  shipping  cost  to  overseas  loca¬ 
tions. 

294 


TABLE  37  WEAPON  SYSTEM  INPUT  PARAMETERS  (Continued) 


Term 

Value 

Description 

RMC 

104.20 

Recurring  management  cost  to  maintain  a  line  item 
of  supply  (assembly  or  piece  part)  in  the  wholesale 
inventory  system. 

$A 

36.59 

Annual  base  supply  line  item  inventory  management 
cost. 

SR 

0.25 

Average  man-hours  per  failure  to  complete  supply 
transaction  records. 

TO 

220.00 

Average  cost  per  original  page  of  technical  documen¬ 
tation.  The  average  acquisition  cost  of  one  page 
of  the  reproducible  source  document. 

TFFH 

4,860,000 

Expected  Total  Force  Flying  Hours  over  the  Program 
Inventory  Usage  Period. 

TR 

0.16 

Average  man-hours  per  failure  to  complete  transpor¬ 
tation  transaction  forms. 

TRB 

0.129 

Annual  turnover  rate  for  base  personnel. 

TRD 

0.'  . 

Annual  turnover  rate  for  depot  personnel. 

ARBUT 

0.30 

Engine  Automatic  Resupply  and  Buildup  Time  in 
months. 

BP 

0.20 

Base  engine  repair  cycle  time  in  months. 

CMRL 

400.0 

Combined  Maintenance  Removal  Interval.  Average 
engine  operating  hours  between  removals  of  the  whol 
engine. 

CONF 

0.90 

Confidence  factor  reflecting  the  probability  of  sat 
isfying  a  random  demand  for  a  whole  engine  from 
serviceable  stock  to  replace  a  removed  engine. 

DP 

2.9 

Depot  engine  repair  cycle  time  in  months. 

FC 

0.45 

Fuel  cost  per  unit. 

FR 

0.0 

Fuel  consumption  rate  of  one  engine  in  units  per 
flying  hour. 

TABLE  37  WEAPON  SYSTEM  INPUT  PARAMETERS  (Continued) 


Term 

Value 

Description 

LS 

15.0 

Number  of  stockage  locations  for  spare  engines. 

BCA 

0.0 

Total  cost  of  additional  items  of  common  base  shop 
support  equipment  per  base  required  for  the  system. 

BAA 

168.0 

Available  work  time  per  man  in  the  base  shop  in 
man-hours  per  month. 

BLR 

16.25 

Base  labor  rate. 

BMR 

3.19 

Base  consumable  material  consumption  rate.  Includes 
minor  items  of  supply  (nuts,  washers,  rags,  cleaning 
fluid,  etc.)  which  are  consumed  during  repair  of 
items . 

BPA 

0.0 

Total  cost  of  peculiar  base  shop  support  equipment 
per  base  required  for  the  system  which  is  not 
directly  related  to  repair  of  specific  FLU'S  or 
when  the  quantity  required  is  independent  of  the 
anticipated  work  load  (such  as  overheaa  cranes  and 
shop  fixtures). 

BRCT 

0.33 

Average  Base  Repair  Cycle  Time  in  months.  The 
elapsed  time  for  a  RTS  item  from  removal  of  the 
failed  item  until  it  is  returned  to  base  service¬ 
able  stock  (less  time  awaiting  parts). 

CS 

1.0 

Cost  of  software  to  utilize  existing  Automatic 

Test  Equipment  for  the  system. 

DC  A 

0.0 

Total  cost  of  additional  items  of  common  depot 
support  equipment  required  for  the  system. 

DAA 

168.0 

Available  work  time  per  man  at  the  depot  in  man¬ 
hours  per  month. 

DLR 

26.0 

Depot  labor  rate. 

DKR 

5.19 

Same  as  BMR  except  refers  to  depot-level  main¬ 
tenance. 

DPA 

0.0 

Same  as  BPA  except  relates  to  depot  support  equip- 

ment . 


296 


TABLE  37  WRAPON  SYSTEM  INPUT  PARAMETERS  (Continued) 


Term 

Value 

Description 

DRCT 

1.48 

Weighted  average  Depot  Repair  Cycle  Time  in  months. 
The  elapsed  time  for  a  NRTS  item  from  removal  of  the 
failed  item  until  it  is  returned  to  depot  service¬ 
able  stock.  This  includes  the  time  required  for 
base-to-depot  transportation  and  handling  and  the 
shop  flow  time  within  the  specialized  repair  acti¬ 
vity  required  to  repair  the  item. 

FB 

0.0 

Total  cost  of  new  base  facilities  (including  utili¬ 
ties)  to  be  constructed  for  operation  and  maintenance 
of  the  system,  in  dollars  per  base. 

FD 

0.0 

Total  cost  of  new  depot  facilities  (including  util¬ 
ities)  to  be  constructed  for  maintenance  of  the 
system. 

FLA 

0.0 

Total  cost  of  peculiar  flight-line  support  equipment 
and  additional  items  of  common  flight-line  support 
equipment  per  base  required  for  the  system. 

H 

4150 

Number  of  pages  of  depot-level  technical  orders  and 
special  repair  instructions  required  to  maintain  the 
system. 

IH 

0.0 

Cost  of  interconnecting  hardware  to  utilize  existing 
Automatic  Test  Equipment  for  the  system. 

JJ 

1700 

Number  of  pages  of  organizational  and  intermediate 
level  technical  orders  required  to  maintain  the 
system. 

N 

1.0 

Number  of  different  FLU's  within  the  system. 

SMH 

12.0 

Average  man-hours  to  perform  a  scheduled  periodic 
or  phased  inspection  on  the  system. 

SMI 

300.0 

Flying  hour  interval  between  scheduled  periodic  or 
phased  inspection  on  the  system. 

SYSNOUN 

Name  of  the  system  -  up  to  60  alphanumeric  charac¬ 
ters. 

TABLE  37  WEAPON  SYSTEM  INPUT  PARAMETERS  (Continued) 


Term 

Value 

Description 

TCB 

9500 

Cost  of  peculiar  training  per  man  at  base  level  in¬ 
cluding  instruction  and  training  materials. 

TCD 

7000 

Cost  of  peculiar  training  per  man  at  the  depot  in¬ 
cluding  instruction  and  training  materials. 

TE 

240,000 

Cost  of  peculiar  training  equipment  required  for 
the  system. 

XSYS 

2300 

System  identification.  The  assigned  five-character 
alphanumeric  Work  Unit  Code  of  the  system. 

298 


control  requirements  resulting  from  the  changes  in  MTBUR.  The  model  determines 
the  base  and  depot  facility  pipeline  spares  supply  required  to  ensure  with  90% 
confidence  that  no  out-of-stock  situation  will  occur.  The  operating  and  sup¬ 
port  cost  equations  2,  3,  6  and  7  from  the  LSC  model  were  then  used  to  calculate 
the  remaining  O&S  costs. 

10.5  Results 

The  total  life  cycle  cost  for  each  control  configuration  is  plotted  against 
controller  maintenance  reliability  (mean  time  between  usncheduled  removals). 

Figure  108  is  related  to  only  one  portion  of  the  reliability  study,  namely, 
maintenance  reliability.  Maintenance  reliability  is  the  characteristic  for 
which  a  formal  goal  was  established  in  the  subject  RAEEC  program.  However, 
another  very  important  reliability  characteristic  is  mission  reliability.  The 
importance  of  mission  reliability  has  been  recognized  but  credible  cost  data 
could  not  be  assembled  within  the  time  and  money  framework  of  the  subject  pro¬ 
gram. 

The  results  shown  in  Figure  108  relating  to  the  maintenance  reliability  portion 
of  the  cost  of  ownership  story  are  indications  of  the  trends  associated  with 
various  redundancy  levels.  The  tendency  to  select  the  lowest  cost  "Simplex" 
controller  configuration  must  be  tempered  with  the  mission  reliability  and 
flight  safety  requirements  of  a  real-life  aircraft  application.  A  "simplex" 
control  with  its  inherent  lack  of  fault  tolerance  cannot  approach  levels  of 
reliability  desired  for  mission  and  flight  safety  requirements  of  a  full-author¬ 
ity  electronic  engine  controller.  A  degree  of  redundancy  will  doubtless  be 
required  and  the  cost  trades  associated  with  several  types  of  redundancy  are 
indicated  in  Figure  108. 

If  very  high  operational  readiness  and/or  mission  reliability  levels  are  found 
to  be  necessary  the  additional  cost  of  achieving  the  associated  higher  MTBUR 
levels  appears  modest. 

As  MTBUR  is  increased  in  Figure  108  costs  diminish  rapidly  for  the  RAEEC  and 
duplex  systems  to  a  minimum  at  about  the  5000  hour  point,  followed  by  rising 
costs  as  MTBUR  increase  to  the  10,000  to  30,000  hour  level.  The  sharp  drop 
in  cost  as  MTBUR  increases  to  5000  hours  is  due  to  a  reduction  in  Operation 
and  Support  Cost.  Further  reduction  in  Operation  and  Support  cost  coupled 
with  increases  in  acquisition  cost  are  present  as  MTBUR  increases  beyond 
5000  hours.  This  consideration  is  responsible  for  the  slow  increase  in  life 
cycle  cost  beyond  5000  hours. 

A  comparison  of  the  life  cycle  costs  for  duplex  and  duplex/triplex  RAEEC 
(selected  triple  redundancy)  shows  a  comparable  level  of  life  cycle  cost  for 
each  at  values  of  MTBUR  below  4000  hours.  This  is  made  possible  by  the  cost 
effective  selection  of  parts  to  be  triplicated.  The  added  level  of  redundancy 
in  selected  locations  of  the  RAEEC  control  makes  voting  possible  with  resulting 
improved  coverage  and  opportunities  for  more  effective  fault  detection  result¬ 
ing  in  higher  reliability  and  lower  operating  and  support  costs  while  achiev¬ 
ing  levels  of  maintenance  and  mission  reliability  not  possible  with  a  duplex 
system. 


Total  LCC  -  i$  Millions) 


0  10  20  30  40  50 

MTBUR  -  (nrs  X  K)  fo!75335 


FIGURE  108  electronic  ENGINE  controller  COST  COMPARISON 


The  four  curves  of  Figure  108  labeled  Simplex,  Duplex,  RAEEC  and  Triplex 
are  different  in  life  cycle  cost  by  a  substantial  amount.  This  is  due 
primarily  to  large  differences  in  redundancy  being  reflected  in  substantial 
differences  in  acquisition  cost. 

It  should  be  noted  in  Figure  108  that  the  Duplex  curve  increased  in  overall  LCC 
at  a  steep  rate  after  approximately  8000  hours.  This  was  caused  by  the  fact 
that  the  "fly  with  faults"  philosophy  was  not  introduced  for  the  Duplex  system, 
but  was  introduced  for  the  triplex  channels  of  the  RAEEC  and  Triplex  systems. 
Figure  144  also  shows  that  adding  redundancy  can  extend  the  MTBUR  to  extremely 
high  numbers  but  at  a  significant  increase  in  overall  LCC. 


10.6  Conclusion 

The  Cost-of-Ownership  study  was  conducted  for  the  Reliability  Advancement 
Study  for  Electronic  Engine  Controllers.  The  objective  was  to  evaluate 
the  overall  effect  on  cost  oi  ownership  of  significantly  increased  electronic 
controller  reliability.  This  was  accomplished  by  defining  eight  reliability 
improvement  measures  and  their  associated  acquisition  cost  and  maintenance 
data.  These  acquisition  costs  and  maintenance  data  were  then  input  to  the 
Air  Force  Logistics  Command  Logistics  Support  Model  to  evaluate  the  LCC. 

The  results  were  tabulated  and  the  following  conclusions  were  made: 

a)  Increasing  electronic  controller  reliability  does  decrease  the 
cost-of-ownership  of  the  controller  by  decreasing  operating  and 
support  costs  up  to  a  given  point.  At  this  point  the  effect  on 
operating  and  support  cost  diminishes  and  is  offset  by  increasing 
acquisition  cost,  which  causes  an  increase  in  total  LCC. 

b)  The  addition  of  redundancy  results  in  a  significant  increase  in 
controller  life  cycle  cost.  The  increase  to  acquisition  cost 
caused  by  duplicating  and  triplicating  the  control  parts  over¬ 
rides  the  payback  from  reducing  O&S  costs  with  the  increased 
MTBUR.  It  should  be  noted,  however  that  there  were  no  cost  savings 
considered  for  the  improved  mission  reliability  which  would  result 
from  the  redundancy. 

c)  Incorporation  of  the  modular  design  concept  produced  a  large 
improvenient  in  LCC.  This  can  be  attributed  to  allowing  the 
maintenance  to  be  moved  to  the  intermediate  level  from  the  depot 
level,  thus  reducing  the  number  of  spare  controls  required  for 
the  pipeline  and  reducing  the  cost  to  repair  the  units. 


301 


i 


SECTION  XI  DEVELOPMENT  GUIDE 

Based  on  the  material  presented  in  this  "Final  Report",  a  "Guide  for  Develop¬ 
ment  of  High  Reliability  Electronic  Engine  Controllers",  AFWAL-TR-80-2063,  Vol 
II,  has  been  prepared.  This  is  a  comprehensive  document  which  specifies  pro¬ 
cedures,  practices,  concepts,  measures,  testing,  quantitative  measures  of  X* 
etc.,  for  use  by  any  future  developer  of  said  controllers.  Emphasis  has  been 
placed  on  areas  essential  to  the  achievement  of  very  high  reliability  goals. 


SECTION  XII  CONCLUSIONS 


The  projected  use  of  electronic  technology  in  the  full  authority  control  systems 
of  future  high  performance  aircraft  engines  has  required  the  subject  investiga¬ 
tion  of  means  to  improve  the  reliability  potential  of  electronic  engine  con¬ 
trollers  such  that  at  maturity  no  reliability  penalty  need  attend  their  use  on 
military  aircraft  engines.  In  order  that  the  reliability  of  electronic  con¬ 
trollers  approach  tlie  reliability  level  of  mature  hydromechanical  controls,  a 
variety  of  reliability  improvements  have  been  investigated  in  this  study.  It  is 
significant  that  the  selected  reliability  improvements  do  indeed  show  the  po¬ 
tential  to  meet  and  even  exceed  the  25,000  hour  MTBF  goal  for  a  mature  control. 
And  further  that  substantial  reliability  improvements  can  be  achieved  with 
reasonably  cost-effective  changes  in  the  design/manufacturing  process. 

Specific  conclusions  are: 

•  No  single  reliability  improvement  measure  will  result  in  a  highly 
reliable  controller.  The  best  reliability  improvement  measure  ex¬ 
amined  resulted  in  a  reliability  improvement  of  2.6. 

•  A  family  of  reliability  improvement  measures,  employing  design  procure¬ 
ment  and  manufacturing  disciplines  can  result  in  a  full-authority  EEC 
with  a  maintenance  reliability  many  times  greater  than  the  overhaul 
period  of  the  engine  it  controls.  The  RAEEC  control  studied  showed  a 
reliability  improvement  of  28.  As  it  improved  from  a  MTBUR  of  1320 
hours  to  37,000  hours. 

•  Redundancy  is  one  of  the  most  effective  and  one  of  the  most  expensive 
ways  to  increase  reliability.  Therefore,  redundancy  should  only  be 
used  to  achieve  the  exceptional  levels  required  by  high  mission  relia¬ 
bility.  RAEEC  with  duplex/triple  redundancy  achieved  a  mission  fail¬ 
ure  likelihood  of  2.  X  10"7. 

•  Mission  reliability  is  not  likely  to  be  justified  on  a  cost  basis  and 
must  be  required  by  factors  such  as  human  life  and  strategic  value  of 
mission  completion.  Weapon  system  requirements  must  realistically 
balance  maintenance  and  mission  reliability. 

•  Reductions  in  maintenance  cost  diminish  to  small  levels  when  mainten¬ 
ance  reliability  exceeds  10,000  -  15,000  hours  MTBF. 

•  Accelerated  stress  screening  of  components  is  the  only  economic  method 
of  removing  the  premature  component  failures  from  semiconductor  lots 
when  history  shows  a  lot  to  lot  variation  of  3-5  to  1  in  acceptable 
units. 

•  Reliability  growth  modeling  methodologies  described  by  Dr.  L.R.  Crow 
and  others  car,  be  correlated  directly  with  CERT  reliability  develop¬ 
ment  testing. 


303 


•  Optimuni.  engine  controller  reliability  can  only  be  achieved  using  several 
different  component  technologies;  e.g.,  bi-polar,  N-MOS  etc. 

•  Semiconductor  voltage  derating  is  one  of  the  most  cost-effective 
reliability  improvements.  Voltage  reductions  of  3:1  produced  a  6:1 
improvement  for  CMOS  components. 

•  Package. design  should  emphasize  small  repetitive  blocks  which  lend 
themselves  to  automated/semi  automated  manufacture. 

•  Package  design  improvements  to  minimize  the  flow  of  failed  units  to 
the  repai*^  depot  can  cause  a  2:1  reduction  in  handling  and  spares  cost 
in  the  repair  pipeline. 

•  Interconnect  systems  must  force  the  bulk  of  the  connections  into  the 
most  environment-tolerant  and  controlled-process  form;  e.g.,  connec¬ 
tions  within  highly  complex  semiconductors  and  within  leadless  chip 
carriers  and  hybrids.  Reductions  of  2:1  in  the  less  reliable  connec- 
tions  were  possible  in  RAEEC. 


304 


SECTION  XIII  RECOMMENDATIONS 


During  the  course  of  the  study,  new  materials  and  methods  of  controller  con¬ 
struction,  and  new  methods  of  cost-effective  screening  at  the  subassembly  level 
were  discussed.  Only  limited  experience  exists  in  the  application  of  these 
construction  and  screening  techniques  to  electronic  engine  controllers.  In 
addition,  lightning  protection  is  an  extremely  vital  issue  in  the  construction 
of  reliable  full  authority  electronic  controllers.  99%  assurance  of  lightning 
protection  based  on  paper  design  without  the  100%  certainty  of  testing  appears 
inadequate.  Therefore,  several  recomnendations  are  presented  for  consideration: 

•  Construct  and  test  several  typical  ceramic/metal  fuel  cooled  modules 
to  mature  and  optimize  the  assembly  and  repair  techniques. 

•  Further  investigate  the  potential  for  accelerated  stress  testing  at 
the  subassembly  level.  Build,  test,  and  evaluate  some  simple  test 
pieces. 

•  Design,  build  and  evaluate  a  simple  dedicated  power  system  which  can 
be  made  redundant  at  low  cost. 

•  Design,  build  and  test  a  lightning  protection  system  for  a  full-author¬ 
ity  electronic  control. 


305/306 


APPENDIX  A 

ELECTRICAL  DESIGN:  BASELINE 
and  TRADE  STUDIES 


A.l  Introduction 


This  appendix  presents  an  extensive  description  of  the  baseline  RAEEC  design 
and  related  trade  studies  on  fourteen  major  circuit  partitions.  The  final 
RAEEC  design  is  based  upon  the  results  of  these  trades. 

A, 2  Baseline  Design 
A . 2 . 1  Basel ine/FADEC  Relationship 

This  portion  of  the  report  provides  a  detailed  description  of  the  RAEEC  base¬ 
line  system,  which  is  actually  a  modified  Full  Authority  Digital  Electronic 
Control  (FADEC).  The  baseline  RAEEC  modifications  to  FADEC  are: 


1. 

Addition 

2. 

Add  ition 

3. 

Addition 

4. 

Addition 

5. 

Addition 

6. 

Addition 

6.  Addition  of  a  redundant  low  level  DC  interface  in  the  primary. 


The  FADEC  hardware,  on  which  this  baseline  is  made,  successfully  demonstrated 
dual-channel  full-authority  electronic  control  capability  in  the  high  altitude 
test  chamber  at  the  NASA  LEWIS  Cleveland  test  facility  on  a  Pratt  &  Whitney 
F401  Navy  engine.  The  FADEC  electronic  unit  provided  all  of  the  sensor  signal 
conditioning,  computation,  and  output  signal  processing  functions  necessary 
for  controlling  the  variable  turbine  engine.  The  control  unit  was  organized 
into  primary  and  secondary  sections,  shown  in  Figure  A-1  each  with  its  own  dig 
itdl  processor,  memory,  and  complement  of  input  and  output  signal  conditioning 
circuitry.  Both  the  primary  and  secondary  sections  are  capable  of  operating 
the  engine  from  start  up  to  intermediate  power.  The  primary  also  incorporates 
circuitry  necessary  for  controlling  augmentation  control  functions.  Each  sec¬ 
tion  includes  power  regulation  circuitry  supplied  by  separate  primary  and 
secondary  windings  in  the  alternator.  The  primary  electronic  unit  houses 
three  vibrating  cylinder  type  pressure  transducers  P2,  P-it  and  A  P^^  Tor  the 
Advanced  Technology  Demonstration  Engine  (ATDE).  The  secondary  unit  for  ATDE, 
provide  highly  accurate  measurement  with  a  digitally  compatible  frequency  out¬ 
put  signal.  Three  pressure  transducers  feed  into  each  digital  processor,  and 
are  organized  such  that  parameter  synthesization  provides  for  continued  safe 
operation  of  the  engine  should  one  processor  and/or  power  supply  malfunction. 


308 


FIGURE  A-1  FAOEC  ELECTRONIC  UNIT  ORGANIZATION 


Serial  digital  communication  between  the  primary  and  secondary  processors  is 
provided  using  a  dual  port  RAM  arrangement.  The  electronic  unit  incorporates 
comprehensive  built-in  test  software  and  hardware  features  to  identify  malfunc¬ 
tions  both  within  itself  and  other  system  components  for  facilitating  maintenance 
and  for  implementing  redundancy  management. 

A. 2. 2  Analoq-to-Diqital  Converter 


The  "multiple-ramp"  analog-to-diqital  converter  used  in  the  RAEEC  baseline, 
converts  multiplexed  high-level  (O  to  +10  V)  DC  signals  to  a  12-bit  binary 
number  with  a  typical  accuracy  of  11  bits,  and  with  a  maximum  conversion  time 
of  1.536  milliseconds. 

The  A/D  control  logic  and  data  registers  are  contained  in  three  custom  CMOS 
LSI  devices,  which  also  contain  registers  and  control  logic  for  two  frequency 
to  digital  converters,  and  one  serial  data  link.  Furthermore,  the  analog  por¬ 
tion  of  the  A/D  comprises  an  integrator  with  four  multiplexed  inputs,  a  zero 
comparator,  and  a  least  significant  bit  comparator.  (Figure  A-2.) 

In  order  to  understand  some  of  the  advantages  of  a  "multi-ramp"  converter,  the 
following  theory  of  operation  is  presented. 

At  the  beginning  of  the  conversion  cycle,  the  integrator  is  shorted  by  switch 
S4  (Figure  A-3).  Thus,  the  output  of  the  integrator  at  Lq  is 

Vo  (to)  =  0 

At  tg,  S4  is  turned  off  and  SI  is  turned  on  and  the  input  signal  to  be  measured 
(Vx)  is  integrated  for  a  fixed  time  interval,  ti  -  Lq  (ramp  1),  The  output 
voltage  of  the  integrator  at  t]  is, 

Vo  (tl)  »  -  ^  (ti  -  to) 

The  time  interval  t]  -  tg  is  equal  to 
(ti  -  to)  =  26/fc 
where  fc  is  the  clock  frequency. 


310 


LSB  COMPARATOR 


CLOCK 
(125  KHZ) 


RESET' 


VRJ-260  MV) 
2® 


ZERO  COMPARATOR 


TO  SWITCHES  SI.  S2,  S3,  AND  S4 

<  t  t  t 


CONTROL  LOGIC 
(1/4)  5E8065/08 


A/D  LSH  CLOCK  LSH  OF 


LSB  REGISTER 

MSB  REGISTER 

(1/4)  5E8065/  04 

1  1 

(1/4)  5E8065/04 

A/D  MSH  CLK 


COUNT  64 


E-5658 


FIGURE  A-2  BLOCK  DIAGRAM  MULTIPLE  RAMP  CONVERTER 


311 


FIGURE  A-3  IDEAL  MULTIPLE  RAMP  TIMING  DIAGRAM 


At.  ti,  SI  is  turned  "off"  and  ramp  2  is  turned  on  by  S2.  The  reference  volt¬ 
age  Vr,  is  then  integrated  until  the  first  clock  pulse  after  the  LSB  compara¬ 
tor  is  tripped.  The  bias  voltage,  VtVis  slightly  less  than  -\/r/26  which 
ensures  the  LSB  register  will  accumulate  a  full  count  if  the  LSB  comparator 
is  tripped  simultaneously  with  a  clock  edge. 

The  output  voltage  at  the  end  of  ramp  2  at  T2  is, 

Vo  (t2)  =  (tl  -  tc)  + 


^ 


During  ramp  2,  the  MSB  register  is  accumulating  clock  pulses.  Thus,  the  num¬ 
ber  of  counts  accumulated  in  the  MSB  register,  N2,  is 

N2  =  26  (t2  -  ti)  fc 

Notice,  because  the  clock  pulses  are  clocked  into  the  MSB  register,  each  clock 
pulse  is  weighted  by  a  factor  of  26.  The  time  interval  of  ramp  2  is 


(t2  -  ti) 


N2 

7^ 


At  t2,  S2  is  turned  off  and  ramp  3  is  turned  on  by  switch  S3.  The  reference 
voltage  VR/26  is  integrated  until  zero  comparator  is  tripped.  The  output  volt¬ 
age  of  ramp  3  at  t3  is. 


VQ  (^3)  =  (tl  -  to)  ^  ^  (^2  -  t])  +  Vr  (t3  -  t2)  (18) 


During  ramp  3,  the  LSB  register  is  accumulating  clock  pulses.  Thus,  the  num¬ 
ber  of  counts  accumulated  in  LSB  register  (Nl)  during  ramp  3  is 

N1  =  (t3  -  t2)fc 

If  there  are  any  counts  in  excess  of  26-1  the  LSB  register  will  overflow  into 
MSB  register.  The  time  interval  of  ramp  3  is 

(t3  -  t2)  =  ^ 

7c 

The  zero  comparator  detects  when  the  integrator  crosses  zero  volts,  thus, 

Vq  (to)  is  equal  to  zero  volts.  Therefore,  Vq  (to)  =  Vo  (t3)  =  0  and 

can  be  reduced  to. 


313 


^  (tl  -  to)  =  ^  (t2  -  ti)  +  (t3  -  t2) 

Substituting  for  equations 

^  26  =  Vr  N2  +  Vr  N1 
To;  Tc  TO"  7c 

cancellation  of  common  terms, 

Vx  26  =  V^^N2  +  Vr^NI  =  ^  N 

where  N  is  the  total  number  of  counts  in  the  register. 

N  is  equal  to, 

N  =  ^  2I2 

Vr 

This  is  the  basic  equation  of  any  multiple  ramp  converter.  The  number  of 
counts  in  the  register  is  simply  a  ratio  of  the  input  voltage  to  the  reference 
voltage.  Because  of  this,  the  accuracy  is  directly  proportional  to  the  ref¬ 
erence  voltage.  The  frequency  of  the  converter  and  the  gain  of  the  integrator 
have  no  effect  on  the  output,  and  thus,  have  no  effect  on  error.  Moreover, 
if  the  input  signal  (Vx)  is  ratioe<f  with  the  referenced  voltage  Vr,  ideally 
there  will  be  no  converter  error. 

The. following  lists  the  advantages  and  disadvantages  of  a  multiple  Ramp  A/D 
Converter. 

ADVANTAGES: 

1.  Input  signal  is  precisely  averaged  over  ramp  1  time. 

2.  No  sample/holds  -  another  source  of  error/jeopardy. 

3.  A/D  method  with  inherent  filtering,  Figure  A-4,  which  is  totally  com¬ 
patible  with  input  multiplexing  techniques. 

4.  Inherently  monotonic  due  to  integration  and  counting  technique. 


314 


TFn 


E-5683 

FIGURE  A-4  A/D  FILTERING  CHARACTERISTICS 


315 


DISADVANTAGE : 


?  successive  approximation  converter 

ihirh  even  though  there  are  other  converters 

fnl  Jl  I  1  ^I'^es,  a  faster  converter  isn't  required 

Lch  JontfSl  cy^le^  critical  DC  inputs  are  converted  during 

A . 2 . 3  Resolver  to  Digital  Converter 

The  baseline  ll-bit  resolver  to  digital  converter  comprises  a  pair  of  volt.np 

a  custom  Lsrco;;,,terS’bSs“Hve^?fi‘,“re“l'5r*‘‘Vte 

UcUonTj’ol  from  the  output  of  the  resol.er  mux^bescrfbed'  io 

and  rn^  p'uhfL  ^  resolver  position  (  d)  information  in  the  form  of  SIN/V 

?0  r"tSi:e?^m^Zic^ 

ables  the  4.0  MHz  precision  clock  into  two  8-bit  registers  These  registers 

?ers'?uJ'i!;r«'^dd“?io“M”"  “S  '•S'  Chips  (which  also  coouin  tho  data 

data  bus  bj  the  CPu!  converters)  which  can  be  addressed  directly  onto  the 

The  bridge  is  trimmed  such  that  the  impedance  Rr  exactly  eauals  that  of  r. 

at  the  excitation  frequency  of  1953.125  Hz,  and  10^50^.0  hSlOs  tJ  e  fo^  rJ  and 

shift  eH  th!r50°S"''?h^  are  matched  and  with  the  excitation  frequencj 
less  than  50  ppm,  the  following  identities  hold  true; 

The  voltage  Vi  solved  for  using  node  equations  is; 

0 


Vl  -  ECOS  0 
-J  R'b 


+  V]  -  Esin  p 


(Vi  -  Ecos  o)  =  J  Rb  (V]  -  Esin  0  ) 

Vl  (1  -  j)  =  Ecos  0  '  j  ^SIN  9 

V 1  =  E  (COS  g  -  J  SIN  ^  ^  -  0 

^  -  3  '  s~'2  I  =  450 


Vl 


1  E  /  450  -  /•? 


i 

i 

I J 


!  •! 

r  1 


I  5 


I  -I 


rr 


316 


u 

Ja 


FIGURE  A-5  RESOLVER  TO  DIGITAL  CONVERTER  (BASELINE) 


Solving  for  V2  in  a  similar  manner: 


-  E-CPi.  e.  +  V2  -  esir  e  =  0 
Ra  -J  RA 

j  Ra  (V2  -  Ecos  a)  =  Ra  (V2  -  Esin  a) 

V2  (j  -  1)  =  .j  Ecos  -  Esin 

V2  =  E  (COS  a  +  j  SIN  a)  =  i  i  e 
- TTi -  jrrw 

V2  =  1  E  Z  a  -  450 

’T' 

Solving  for  0,  the  phase  difference  between  V]  and  \J2i 

0  =  (a  -  45)  -  (45  -  a)  =  2  a  -  90O 

■The  following  lists  the  advantages  and  disadvantages  of  the  R-C  bridge  resolver 
to  digital  converter; 

ADVANTAGES: 

1.  All  failure  modes  can  be  detected  (if  the  total  resolver  movement  is 
restricted  to  less  than  90  mechanical  degrees). 

2.  Provides  a  direct  conversion  of  shaft  angle;  no  transport  delay  delta 
between  "SIN  a"  and  "COS  a"  inputs. 

3.  With  reference  angle  compensation,  this  interface  is  accurate  to 
within  6  minutes . 

4.  Lends  itself  to  multiplexing  techniques. 

DISADVANTAGES: 

1.  Precision  R-C  bridge  required  with  good  stability  over  temperature. 

2.  Accurate  sine-wave  generation  required  for  resolver  excitation.  Con¬ 
verter  is  sensitive  to  odd  harmonics. 

3.  Resolver  movement  should  be  restricted  to  less  than  90°. 


318 


A. 2. 4  Resolver  Excitation 


The  Resolver  Excitation  circuit  used  in  the  RAEEC  baseline  system,  provides  a 
precision  7  Vrms,  1.953  KHz  sinewave  for  excitation  of  the  engine  fuel  control 
resolvers.  Although  400  Hz  synchro  excitation  is  available  on  most  aircraft, 
this  configuration  for  self  excitation  of  fuel  control  feedback  transducers 
is  advantageous  for  the  following  reasons: 

1.  Loss  of  the  400  Hz  bus  would  cause  the  engine  fuel  controls  to  lose 
feedback  signah,  causing  engine  shutdown. 

2.  A  400  Hz  excitation  system  causes  a  Icng  R/D  conversion  time,  since 
the  period  of  one  sample  would  be  2.5  milliseconds,  and  a  minimum  con¬ 
version  time  of  twice  the  excitation  period  is  required  for  settling 
and  conversion  time. 

This  circuit,  as  shown  in  Figure  A-6,  comprises  five  different  functions  which 
are  described  briefly  as  follows: 

A. 2. 4.1  Transmission  Gate  Modulator  This  circuit  provides  an  amplitude  mod¬ 
ulated  1953  Hz  squarewave,  proportional  to  the  error  integrator  output,  which 
is  fed  to  the  tuned  filter, 

A. 2. 4. 2  Tuned  Filter  The  first  stage  of  the  active  tuned  filter  section  is 
a  bandpass  filter  to  attenuate  the  third  harmonic  of  the  square  wave  and  also 
to  block  the  DC  component.  The  center  frequency  is  at  1,953  KHz,  the  gain  is 
0  dbv,  and  the  sensitivity  is  10.  The  second  stage  is  a  low  pass  filter  to 
further  attenuate  the  third  harmonic  distortion.  The  center  frequency  is  at 
1.953  KHz;  zeta  is  0.1  resulting  in  a  gain  14  dbv  at  fo  *  1.953  KHz, 

A. 2.4.3  Rectifier  Amplifier  AR3  in  conjunction  with  diodes  CRl  and  CR2  and 
network  Z1  provide  a  gain  of  -1  for  negative  inputs  and  0  for  positive  inputs. 
The  offset  error  due  to  the  diode  is  negated  by  the  amplifier.  The  amplifier 
output  is  sunvned  with  the  filter  output  through  resistors  with  a  2:1  ratio 
producing  a  precise  full  wave  rectified  signal, 

A. 2.4.4  Error  Integrator  To  obtain  the  error  signal  necessary  to  produce  a 
6.8563  Vrms  output,  AR4  realizes  a  summing  error  integrator.  The  rectifier  out¬ 
put  current  is  summed  with  the  current  from  the  -10  VDC  reference.  If  the  cur¬ 
rents  are  not  equal,  the  integrator  ramps  up  or  down  until  they  are.  The  sine 
wave  input  does  not  affect  the  DC  voltage  level  of  the  integrator  output  because 
the  average  (or  DC)  value  of  the  sine  wave  is  zero.  It  does,  however,  produce 
a  full-wave  recitified  current  when  summed  with  the  half-wave  rectifier  output. 


319 


FIGURE  A-6  RESOLVER  EXCITATION  (BASELINE) 


A. 2. 4. 5  Power  Stage  A  Motorola  MC1538R  Power  Booster  is  used  to  obtain  the 

necessary  dTTve  current  for  resolver  excitation.  The  filter  output  is  buffered 
with  a  747  op-amp  which  supplies  the  drive  for  the  MC1538R.  The  feedback  loop 
is  unity  gain  and  serves  to  reduce  nonlinearity  and  crossover  distortion  of  the 
MC1538R. 

The  driver  outputs  are  matched  to  the  resolver  impedance  by  a  shunt  R-C  circuit, 
effecting  a  purely  resistive  load  to  the  power  booster.  This  reduces  the  re¬ 
quired  output  power  and  subsequent  dissipation  in  the  1538R.  Matching,  at 
this  writing,  is  for  six  resolvers  in  parallel  (per  MC1538  driver)  and  can  be 
adjusted  where  more  resolvers  are  employed.  Individual  resolver  impedance  is 
128  +  j648. 

A , 2 . 5  Torque  Motor  D/A‘s  and  Driver 

This  circuit  is  capable  of  driving  a  torque  motor  with  a  DC  current  of  40  mil- 
li amperes.  Control  information  from  the  central  computer  is  fed  into  a  shift 
register  in  a  serial  format.  The  output  of  this  register  controls  a  R/2R  lad¬ 
der  network.  Changing  the  binary  input  to  the  R/2R  ladder  will  change  the 
current  through  the  torque  motor.  A  LM148  is  used  as  the  circuit  amplifier 
and  a  complimentary  transistor  pair  as  a  voltage  follower.  The  granularity  of 
the  torque  motor's  current  will  be  +  128  increments.  In  the  event  of  a  circuit 
failure,  the  torque  motor  may  be  turned  off  by  the  central  processor  with  a 
CMOS  switch.  (Figure  A-7). 

A. 2. 6  Solenoid  Drivers 

Discrete  solenoid  data  is  loaded  into  a  CMOS  register  (CD4015)  from  the  central 
CPU.  This  register  will  store  the  control  data  for  8  solenoids.  The  output 
of  the  CD4015  drives  a  power  amplifier,  via  the  2N2907A  (buffer),  This  power 
amplifier  has  the  feature  of  built-in  short  circuit  protection.  The  output 
voltage  of  the  amplifier  is  monitored  by  the  LM148  for  the  purpose  of  fault 
detection.  (Figure  A-8). 

A. 2.7  Pressure  Sensors  and  Circuitry 

The  Hamilton  Stanuard  digital  pressure  transducer  is  a  precision  device  avail¬ 
able  to  industry.  The  pressure  transducer's  pressure  sensing  element  is  a 
cylinder,  excited  by  a  magnetic  d.  iving  circuit,  which  vibrates  at  its  natural 
frequency.  As  the  pressure  to  be  m.easured  increases,  internal  forces  act  to 
increase  the  stiffness  of  the  sensing  element  causing  the  natural  frequency  to 
increase  in  proportion  to  the  change  in  applied  pressure.  The  inherent  high 
accuracy  and  digital  nature  of  this  device  make  it  ideally  suited  to  computer 
controlled  systems.  (Figure  A-9). 


321 


TORQUE  MOTOR  DISABLE 


323 


EVACUATED  CYLINDER  END  CAP 


E-2014 


FIGURE  A-9  SECTION  VIEW  OF  PRESSURE  SENSOR 


The  physical  parameters  which  may  be  measured  with  the  greatest  accuracy  are 
time  and  frequency.  Frequency  does  not  lose  its  identity  or  precision  by  trans¬ 
mission  and  may  always  be  measured  with  considerable  accuracy. 

The  pressure  transducer  sensor  is  comprised  of  two  concentric  cylinders,  an 
inner  one  and  outer  one,  separated  by  an  evacuated  space,  which  becomes  the 
absolute  pressure  reference.  These  cylinders,  while  separate  at  one  end,  share 
a  common  mounting  base.  The  walls  of  the  inner  cylinder  are  caused  to  vibrate 
at  their  lowest  natural  frequency  by  force  pulses  from  the  magnetic  field  of 
a  driver  coil  mounted  internal  to  the  inner  cylinder. 

Mounted  in  the  same  centerbody  as  the  driver  coil  is  the  pickup  coil  which  pro¬ 
duces  a  voltage  proportional  to  the  frequency  and  amplitude  of  cylinder  wall 
vibration.  The  pickup  voltage  is  fedback  to  the  driver  coil  through  an  opera¬ 
tional  amplifier  so  as  to  maintain  a  constant  cylinder  wall  vibratory  amplitude. 

When  a  pneumatic  pressure  is  introduced  into  the  inner  (vibrating)  cylinder, 
the  wall  elements  are  tensioned  and  the  cylinder  natural  frequency  increases. 
Hence,  the  natural  frequency  is  dependent  upon  pressure  in  the  nonlinear  re- 
1 ationship : 

Pressure  =  A  +  Bf^  +  Cft^  +  Df^^  +  Ef^4 

where  A,  B,  C,  0,  and  E  are  calibration  constants.  Therefore,  the  transducer 

sensor  converts  sensed  pressure  into  a  2  to  3  volt  square-wave  electrical  sig¬ 
nal  whose  frequency  is  a  non-linear  function  of  the  sensed  pressure. 

A. 2. 7.1  Pressure  Sensor  Drive  System  The  pressure  sensor  electronics  pro¬ 
vide  the  necessary  positive  feedback  for  each  transducer  to  sustain  oscillation 
in  its  primary  resonant  mode.  The  pick-up  signal  is  amplified  first  by  a  var¬ 
iable  gain  stage  and  second  by  a  fixed  gain,  bandpass  amplifier.  The  filter 
elements  in  the  second  stage  are  chosen  to  provide  the  proper  phase  shift  that 
will  result  in  a  loop  phase  shift  of  360o.  This  gives  maximum  support  to 

oscillation  at  the  sensor's  resonant  frequency.  Drive  signal  amplitude  is 

controlled  by  sensing  the  AC  drive  current,  precision  rectifying  it,  and  com¬ 
paring  the  rectified  signal  to  a  DC  reference.  The  resultant  error  signal  is 
integrated  and  used  to  control  the  gain  of  the  input  variable  -  gain  amplifier. 
The  system  frequency  is  sensed  at  the  output  drive  by  a  comparator  and  converted 
to  a  logic  level  signal  (Figure  A-10). 

The  circuit  is  repeated  for  each  of  12  pressure  sensors.  The  circuits  share 
3  common  +  6  volt  power  supply  required  by  the  variable  -  gain  stage.  The 
balance  oT  the  circuit  utilizes  analog  +14/-14V  power. 


326 


FIGURE  A-10  PRESSURE  SENSOR  ELECTRONICS  -  BLOCK  DIAGf^M  (BASELIN^) 


A. 2. 7. 2  Temperature  Sensor  Circuit  Because  the  natural  frequency  of  the 
vibrating  cylinder  is  a  function  of  both  pressure  and  the  ambient  temperature, 
a  temperature  sense  circuit  is  provided  to  measure  the  temperature  at  the  sen¬ 
sor  and  provide  the  information  as  an  analog  signal  through  the  A/D  to  the 
processor.  Placed  at  the  top  of  the  spool  body  is  a  diode,  which  is  selected 
for  its  temperature  coefficient.  The  actual  "circuit"  comprises  a  precision 
resistor  as  indicated  in  the  circuit  shown  in  Figure  A-11. 

A. 2. 7. 3  Digital  Correction  PROM  Each  pressure  sensor  is  packaged  with  spec¬ 

ific  compensating  digital  data,  kaw  data  received  from  the  sensor  in  an  un¬ 
compensated  form  has  variations  in  linearity  with  pressure  level  and  tempera¬ 
ture  induced  shifts.  The  calibration  process  to  which  each  sensor  is  subjected 
establishes  exactly  how  much  compensation  each  sensor  requires  to  accurately 
convert  its  frequency  output  to  a  precise  digital  number.  This  compensating 
data  is  then  permanently  programmed  into  a  PROM  Memory  chip  where  it  can  be 
addressed  by  the  computer  each  time  the  sensor  is  addressed.  The  determination 
of  the  normalization  scale,  cubic  coefficients,  adjusted  counts,  pressure  and 
temperature  maps  are  determined  and  converted  from  engineering  units  (volts, 
psi,  etc)  to  programmable  binary  information  in  PROM  format  by  computer.  In¬ 
puts  to  the  computer  are  the  data  taken  on  each  pressure  sensor  during  cali¬ 
bration. 

A. 2. 7. 4  Sensor  Frequency  to  Digital  Converter  baseline  system  sensor 

frequency  to  digital  conversion  is  performed  in  custom  CMOS  LSI.  Two  sensor 
frequency  outputs  are  multiplexed  under  processor  control  into  a  custom  chip 
which  counts  a  predetermined  sensor  period  count.  The  output  of  this  period 
counter  is  a  pulse  width  which  enables  a  precision  2  MHz  clock  into  two  custom 
LSI  8-bit  counter  chips.  The  resulting  16-bit  counter  is  tri-stated  onto  the 
computer  bus  under  CPU  control.  Since  the  three  LSI  devices  mentioned  are 
designed  to  handle  five  16-bit  digital  conversions,  only  1/4  of  3  LSI  chips 
are  used  for  this  process,  or  roughly  185  logic  gates  for  each  sensor  pair 
(Figure  A-1 2) . 

A, 2. 8  Low  Level  DC  Interface 

The  baseline  system  inputs  four  low  level  signals  and  one  high  level  signal. 

The  low  level  signals  are  multiplexed  into  an  instrumentation  amplifier  which 
provides  a  high  level  signal  for  multiplexing  into  the  analog-to-digital  con¬ 
verter.  The  high  level  signal  is  buffered  with  a  separate  instrumentation 
amplifier  which  is  also  multiplexed  into  the  A/D.  The  multiplexer  is  followed 
by  a  buffer  stage  to  provide  higher  drive  capability  for  the  A/D  converter 
(Figure  A-1 3) . 


327 


+  10  VDC  REF 


E-5680 


FIGURE  A-  1 1  TEMPERATURE  SENSOR  CIRCUIT 


E-5678 


FIGURE  A-  12  SENSOR  FREQUENC/  TO  DIGITAL  CONVERSION 


■i^ii 


iM^- 


FIGURE  A-13  LOW  LEVEL  INTERFACE  (BASELINE) 


330 


The  resolver  inputs  are  presently  multiplexed  into  the  resolver  to  digital 
converter.  The  multiplexing  is  acomplished  by  using  CMOS  multiplexers.  The 
CMOS  multiplexers  require  protection  from  voltage  transients  which  could  dam¬ 
age  them.  This  protection  is  accomplished  with  a  diode  voltage  clamp  and  a 
series  impedance  on  each  channel  (Figure  A-14). 

A, 2. 10  Discrete  Signal  Conditioner  Circuits 

The  baseline  signal  interface  provides  circuitry  to  condition  and  input  signals 
from  three  discrete  switch  closures;  a  LOD  Detector,  and  a  Serial  Data  Stream 
transmitting  the  mach  number.  The  discrete  switch  closures  are  conditioned 
with  a  diode  resistor  protection  network  to  protect  the  CMOS  devices  from  volt¬ 
age  transients  which  may  be  coupled  on  to  the  external  signal  lines.  The  in¬ 
formation  is  input  to  the  processor  by  enabling  a  bus  driver.  The  LOD  detec¬ 
tion  is  accomplished  by  gating  the  frequency  into  a  counter  for  a  known  period 
of  time.  The  resulting  count  is  read  by  the  processor  and  compared  to  a  fixed 
limit.  The  mach  number  serial  data  stream  is  received  with  its  corresponding 
clock  with  a  differential  line  receiver.  The  resulting  signal  is  shifted  into 
a  register  which  is  read  by  the  processor.  (Figures  A-15  and  A-16). 

A. 2. 11  Frequency  to  Digital  Speed  Interface 

The  baseline  speed  interface  uses  custom  LSI  chips  to  perform  the  frequency 
to  digital  conversion.  The  signal  conditioning  is  accomplished  by  using  a 
quad  operational  amplifier  as  a  comparator.  The  output  of  the  amplifier  re¬ 
quires  level  shifting  to  CMOS  logic  level.  Additional  gating  is  provided  to 
allow  for  variable  frequency  division  of  the  signal  prior  to  digital  conversion. 
The  LSI  chip  contains  tristate  bus  drivers  for  communication  with  the  CPU. 
(Figures  A-17  and  A-18). 

A, 2. 12  Turbo  Pump  Speed  Interface 


The  baseline  turbine  pump  speed  circuit  inputs  a  pulse  train  where  the  fre¬ 
quency  of  the  incoming  pulses  is  proportional  to  the  pump  speed.  The  pulses 
are  conditioned  with  an  operational  amplifier  and  converted  to  logic  levels 
with  a  diode  and  CMOS  buffer.  The  signal  is  then  fed  into  a  custom  LSI  period 
counter  which  gates  a  high  frequency  clock  into  a  counter.  The  counter  can  be 
read  by  the  CPU  to  determine  the  pump  speed  (Figure  A-19). 


MCI  103 


FIGURE  A-14  RESOLVER  MULTIPLEXER  (BASELINE) 


FIGURE  A-16  SIGFAL  INTERFACE  (BASELINE) 


CONTROL 

LINES 


DECODE  AND 
RESET  CIRCUITRY 


17  MHZ 


5915 


FIGURE  A-17  SPEED  INTERFACE  (BASELINE) 


MC1 103 


FIGURE  A-18  SPEED  INTERFACE 


FIGURE  A-19  TURF  NE  PUMP  SPEED  (BASELINE) 


A. 2. 13  Fault  Detection  Logic 

Four  fault  discretes  are  signal  conditioned  by  a  Quad  voltage  comparator.  Each 
input  is  current  transient  protected  by  a  series  resistor  and  voltage  protected 
by  clamping  diodes.  The  capacitor  on  all  inputs  will  act  as  a  filter  to  all 
high  frequency  noise  and  prevent  false  triggering.  The  buffer  protects  the 
primary  BUS  from  uncontrollable  power  sequencing.  A  separate  power  supply  is 
used  to  power  this  circuitry  and  also  the  voting  logic  (not  shown).  This  supply 
has  voltage  diode  ORing  at  the  input  and  is  capable  of  driving  a  load  of  100  ma 
(Figure  A-20). 

A. 2. 14  Power  Supply  Svstetn 

A. 2. 14.1  Baseline  Power  Supply  Summary  The  power  source  is  a  30  permanent 

magnet,  constant  current  alternator.  Input  power  is  rectified,  capacitor  fil¬ 
tered,  and  converted  to  two  constant  voltages  (+14  and  -14)  by  two  shunt  regu¬ 
lators.  Input  current  is  3.3  to  4.0  ADC.  Current  not  required  by  the  effectors 
and  electronic  circuits  must  be  absorbed  by  the  shunt  regulators  and  dissipated 
as  power.  +^14V  is  utilized  by  the  effectors  and  analog  circuits.  +5V  for  the 
logic  and  memory  circuits  is  derived  by  a  monolithic  series  regulator  powered 
off  the  +14V  bus.  +10\/  for  logic  and  analog  circuits  is  also  derived  from  +14V 
by  means  of  a  series  regulator.  Two  comparators  monitor  +5  and  +10  for  over¬ 
voltage  and  decrease  the  +14\/  regulator  if  overvoltage  is  detected.  Two  addi¬ 
tional  comparators  monitor  +6  and  +10  for  undervoltage  and  generate  a  "power 
supply  reset"  (PSR)  if  low  voltage  is  detected.  Finally,  a  drive  circuit  to 
provide  excitation  to  the  Light  Off  Detector  is  included.  This  circuit  includes 
on/off  logic,  level  shifting  (+10  logic  to  -14)  and  push-pull  power  switching 
with  inherent  current  limiting.  The  circuit  is  repeated  for  a  LOD  test  channel 
(Figure  A-21  and  Table  A-1). 

A, 2. 14, 2  Permanent  Magnet  Alternator  (Constant  Current  Alternator)  The 
Permanent  Magnet  Alternalor  consists  of  a  multipole  permanent  magnet  rotor  and 
a  multitooth  stator.  The  rotor  is  constructed  of  alternating  polarity  rare 
earth  magnets  positioned  radially  around  the  circumference  of  the  rotor.  The 
magnets  are  retained  by  nonmagnetic  materials  and  a  thin  nonmagnetic  sleeve 
which  yields  a  smooth,  low-friction  surface.  The  output  windings  are  wound 
in  segments  around  the  stator  teeth  and  connected  for  a  30  output.  The  number 
of  teeth  is  1.5  times  the  number  of  magnet  poles  in  a  30  machine. 

The  permanent  magnet  alternator  is  particularly  attractive  for  airborne  use 
because  of  its  simplicity,  lightweight  and  absence  of  an  exciter,  a  commutator, 
slip  rings,  brushes,  and  a  field  winding. 


330 


I 

I 


+10  VOLT 
VOTER 


PRIMARY 

SOURCE 


339 


SECONDARY 

SOURCE 


I 


*  14  V 
SHUNT 
REGULATOR 


+  10  V 
SERIES 
REGULATOR 


+  5  V 
SERIES 
REGULATOR 


INPUT 

POWER 


-14  V 
SHUNT 
REGULATOR 


4 

i 

1  t-S  1 

RETURN - 

_ 1 

SJ 

INPUT 

i 

i. 

j 

+  S  — »-j 

OVER 

VOLTAGE 

♦  10  ^  1 

DETECTOR 

UNDER 

VOLTAGE 

DETECTOR 


PSR 

GENERATOR 


OUTPUT 

INHIBIT 


LEVEL 

SHIFTER 


LOD 

POWER 

URIVE 


TEST  - 
INHIBIT 


LEVEL 

j  SHIFTER  I  ^  I  I 

CONSTANT  CURRENT  ALTERNATOR  ' 

ti?  PAJ7T5  lOG  V\ATTS  5965 


FIGURE  A-21  POWER  SUPPLY  BLOCK  DIAGRAM  (BASELINE) 


3 


*  Assumptions  used  in  Typical  Power  Dissipation  above 


lAV  Solenoids  @  .4A  1 

20V  Solenoios  @  .3A  0 

28V  Solenoids  .2k  2 

Torque  Motors  .05A/.15A  +14V/-14V 

Analog  Load  .2A/.2A  +14V/-14V 

+10V  Load  .35A 

+5V  Load  .55A 


341 


Characteristically,  open  circuit  voltage  increases  proportionately  with  speed, 
while  short  circuit  current  remains  relatively  constant.  Hence,  the  permanent 
magnetic  alternator  may  be  referred  to  as  a  constant  current  generator.  For 
a  fixed  load,  the  alternator  parameters  may  be  chosen  to  provide  relatively 
constant  current  over  a  wide  speed  range, 

A. 2. 15  Central  Processor 

This  portion  describes  the  RAEEC  baseline  Central  Processor  which  comprises 
the  five-chip  CPU,  the  12K  word  PROM,  the  RAM,  the  EAROM,  and  the  Oual- 
Port  RAM.  Although  the  EAROM  is  presented  in  this  discussion,  it  was  not 
considered  in  the  trade  studies  since  it  is  not  flight  cricitical,  and  is  used 
only  to  keep  track  of  fault  words. 

A. 2. 15.1  Central  Processor  Unit  The  five-chip  (CPU)  implemented  in  the  baseline 
unit  is  a  technologly  improved  version  of  the  11  LSI-chip,  ion-implanted  bulk- 
CMOS,  HS  16/24  SISO,  bit-parallel  processor  used  in  the  EEC102  and  JFC  106  engine- 
mounted  fuel  controls.  The  five  chips  comprise  two  custom  very  large  scale 
integration  (VLSI)  CMOS  silicon-on-sapphire  (SOS)  devices,  and  three  custom  ion- 
implanted  CMOS  devices.  Features  of  the  parallel  HS  16/24  SOS/CMOS  parallel  pro¬ 
cessor  are: 

1*  Low  Power:  0.5  watt  at  4  MHz,  10  VDC 

2.  High  Speed:  1.0  microsec  register  and  Immediate,  2.0  microsec  Memory 

Ref.  Inst. 

3.  Excellent  noise  immunity 

4.  Full  MIL  Spec:  -SS^^C  to  +1250C,  oESOES  (based  on  MIL-M.38510,  Class 

B) 

5.  Technology:  Very  high  density,  2600  FET,  static  CMOS  SOS  VLSI;  4  to 

10  nanosec  delay  per  gate  at  25^0 

6.  Addressing:  Direct  to  2048  words;  indirect  to  32K  words 

7.  Priority  interrupt  structure 

8.  Hardware  Multiply:  17.0  ^s  absolute  max  at  4  MHz,  (13.5 /^s  based  on 

arithmetic  mean) 

9.  Hardware  Di  vide:  \7  iis 


342 


10.  87  Instructions:  14  Memory  Reference,  2  Input/Output,  17  Shift,  1 

Load  Immediate,  13  Skip  with  53  Combinations 

11.  Integral  Test  Hardware:  Single-step  Run/Halt,  DMA,  External  Diagnos¬ 

tic  Memory  and  Terminal  Interface  provided 
via  test  connector 

12.  TTL  Compatible  Inputs:  No  buffers  required  on  input  bus 

13.  TTL  Compatible  Serial  Outputs:  No  buffers  required  on  Serial  or  Par¬ 

allel  Outputs 


CPU  Architecture 


The  HS  16/24  CPU  is  a  flexible,  controls-oriented,  CMOS  LSI,  bit  parallel, 
fractionally  scaled  two's  complement,  combinational  logic,  state  machine.  De¬ 
signed  initially  for  either  16-  or  24-bit  word  lengths  (16  bits  for  fuel  con¬ 
trols  and  24  bits  for  navigational  computations),  it  may  be  operated  with  clock 
rates  from  0  to  1  MHz  (0  to  4  MHz  clock  input),  supply  voltages  from  0  to  +15 
VDC,  and  temperatures  from  -550C  to  +1250C.  It  is  structured  as  shown  in 
Figure  A22  with  six  dedicated  registers,  a  program  incrementer,  an  arithmetic 
logic  unit  (ALU),  all  "hard-wired"*  control  logic  and  timing.  The  CPU’s  87 
instructions  are  designed  to  operate  with  a  microinstruction  controlled  clock 
which  can  synchronously  vary  the  microinstruction  execution  times  between  50C 
nanosec  and  2.0  microsec,  allowing  all  instructions  to  be  executed  with  maxi¬ 
mum  speed  efficiency.  Instruction  execution  times  are  also  minimized  via  over¬ 
lapped  Fetch/Execute  cycles,  look-ahead  carry  in  both  arithmetic  unit  and  reg¬ 
ister  unit  adders,  and  judicious  selection  of  all  register  transfer  paths  to 
allow  multiple  register  transfers  to  occur  simultaneoulsy. 

CPU  Hardware  Implementation 

The  digital  logic  required  to  implement  the  HS  16/24  CPU  design  was  partitioned 
into  two  different  custom  LSI  types.  A  total  of  three  of  these  LSI  devices  are 
required  for  the  complete  16-bit  processor  design:  one  Control  Logic/Timing 
CMOS  SOS  VLSI  module  (5E8065/10)  and  two  8-bit  Register/ALU  CMOS  SOS  VLSI  mod¬ 
ules  (5E8065/09). 


*  A  microprogrammable  control  store  was  designed  for  this  machine,  which  un¬ 
fortunately  comprised  some  20  components  (including  5  ROMs),  which  were 
deemed  far  less  reliable  and  slower  than  the  hard-wired  control  logic  which 
replaced  them. 


343 


FIGURE  A- 22  CPU  BLOCK  DIAGRAM  -  BASELINE 


The  arithmetic  logic  unit  performs  the  actual  execution  of  all  arithmetic  and 
logic  instructions r  An  arithmetic  instruction  always  involves  two  operands 
that  must  be  combined.  One  of  the  operands  is  specified  in  the  address  portion 
of  the  instruction  word  and  comes  from  memory  or  an  input  device.  The  other 
operand  is  already  in  the  A  register  of  the  arithmetic  unit  as  a  result  of  a 
previous  instruction.  The  operation  code  portion  of  the  instruction  word  spec¬ 
ifies  exactly  how  the  two  operands  are  to  be  arithmetically  or  logically  com¬ 
bined. 

There  are  six  dedicated  16-bit  parallel  registers  associated  with  the  arithme¬ 
tic  and  register  units. 

CPI)  Throughput 

The  performance  of  a  processor  may  be  measured  in  its  throughput,  or  given  a 
particular  instruction  mix,  the  maxiiiium  number  of  instructions  that  it  will 
process  in  one  second.  While  on  the  other  hand,  the  figure  of  merit  of  a  pro¬ 
cessor  may  be  measured  in  its  througiiput  per  watt  or  kops/watt,  where  kops  is 
thousands  of  operations  per  second.  The  instruction  mix  used  in  calculating 
throughput  is  derived  from  the  actual  program  used  in  a  recent  breadboard  de¬ 
signed  for  an  engine  fuel  control.  Based  on  this  mix,  the  predicted  throughput 
is  390  kops  and  the  performance  throughput  per  watt  is  780  kops/watt  (based  on 
0.5  watt  for  the  five-chip  CPU  system). 

Watchdog  Timer 

The  watchdog  timer  is  a  hardware  built-in  test  circuit  which  is  used  to  detect 
and  either  correct  or  flag  a  hung  CPU  condition.  Its  primary  function  is  to 
eliminate  any  infinite  looping  that  may  occur  as  n  result  of  a  lightning  dis¬ 
charge  or  other  abnormal  transient.  This  looping  condition  is  quickly  detected 
by  the  timer  as  the  timer  must  be  reset  by  the  CPU  after  each  CPU  control  loop. 
When  the  CPU  is  hung,  the  timer  is  not  reset  and  the  error  is  detected.  A 
reset  pulse  is  given  to  the  CPU  in  an  attempt  to  restart  it.  All  output  ef¬ 
fectors  are  also  reset  at  this  time  and,  if  the  CPU  does  not  recover,  the  LRU 
fault  indicator  is  latched  and  the  secondary  is  notified  via  the  three  emergency 
fault-status  lines  that  it  is  now  in  full  control. 


A. 2. 15.2  Programmable  Read-Only  Memory  The  programmable  read-only  memory 
is  the  main-program  read-only  memory  for  this  fuel  control  and  is  specifically 
designed  to: 

a.  Minimize  memory  parts  count  and  printed  circuit  board  (PCB)  area  by 
using  high  density,  internal  power  strobed,  8K-bit  (2048  X  4),  compact 
18-pin  DIP-package,  PROM  integrated  circuits. 


b.  Reduce  memory  power  dissipation  through  the  use  of  self-power  strobed, 
bipolar  PROM's. 

c.  Provide  maximum  development  flexibility  at  low  cost  through  use  of 
programmable  ROM  (PROM)  devices. 

d.  Access  256  words  of  PROM  from  each  pressure  sensor  by  externally  quad- 
ruplexing  1024  X  4  bit  PROMs  into  256  X  16-bit  words,  (in  the  A/C 
card) . 

In  the  primary,  12K  words  of  memory  are  made  up  of  24  8K  integrated  circuit 
(IC)  packages.  As  the  1024  words  of  page  zero  of  memory  can  be  addressed 
directly  from  any  other  memory  page,  its  locations  are  extremely  valuable 
and  must  be  used  efficiently.  The  416  words  of  RAM  and  64  words  of  DPCTRAM 
(32  words  primary  plus  32  words  secondary)  therefore,  reside  in  the  top  half 
of  this  page  with  PROM  contained  in  the  lower  half.  The  half-page  zero  PROM's 
displaced  by  RAM  memory,  however,  are  not  wasted,  as  these  locations  can  be 
accessed  through  memory  page  16. 

Pressure  sensor  calibration  data,  usually  32  words  per  absolute  sensor  plus 
224  words  of  additional  program  memory,  is  available  in  each  of  three  pressure 
sensor  calibration  PROM's.  This  memory  is  implemented  with  1024  X  4  PROM  IC's 
but  is  accessed  using  a  CPU  wait  state  which  allows  it  to  be  quadruplexed  into 
full  16-bit  words.  The  wait  state  adds  only  1.0  microsecond  to  the  instruction 
execution  time  and  greatly  off-loads  the  CPU  by  not  requiring  the  assembly  of 
the  otherwise  four  separate  4-biL  nibbles  into  ,16-bit  words. 

A. 2. 15. 3  Random  Access  Memory  The  Random  Access  Memory  scratch  pod  is  spec¬ 
ifically  designed  io:  (1)  provide  up  to  416  X  16-bit  words  of  directly  addres¬ 
sable  (page  zero)  scratch  pad  memory  for  the  CPU  and  (2)  reduce  power  dissipa¬ 
tion  through  the  use  of  CMOS  RAM  IC's. 

The  CMOS  RAM  can  be  accessed  by  the  CPU  at  full  speed,  no  wait  states  are  re¬ 
quired.  All  416  words  of  RAM  memory  can  be  directly  add»‘essed  from  any  other 
page  of  memory  such  that  indirect  references  are  not  required.  It  should  be 
pointed  out  that  only  416  words  of  RAM  can  be  accessed;  64  words  are  perman¬ 
ently  disabled  to  enable  the  32  word  dual-port  cross-talk  RAM,  allowing  the 
most  judicial  organization  of  the  1024-word  base-page,  as  mentioned  above 
under  Programmable  Read-Only  Memory. 

A. 2. 15.4  Electrically  Alterable  Read-Only  Memory  Module  The  EAROM  is  a  hybrid 
module  which  contains  two  -  32  words  by  16  bits  '-  lARuM  chips  and  the  CMOS  address 
latches,  output  buffers,  and  logic  control  circuits  necessary  to  interface  with 
the  baseline  system. 


346 


This  EAROM  device  differs  from  RAM  devices  in  two  ways;  it  is  essentially  non¬ 
volatile,  but  it  requires  milliseconds  to  perform  either  its  ERASE  or  WRITE 
functions.  It  therefore  requires  multiple  commands  to  perform  either  function, 
each  requiring  100ms  delay  loops. 

The  EAROM  memory  itself  uses  MNOS  P-Channel  technology  to  realize  electrically 
alterable  memory  with  unpowered,  nonvolatile  storage  for  ten  years  at  70°C. 

Data  retention  is  a  minimum  of  2  X  loH  read  cycles/word  before  refresh  is  re- 
uired.  READ  access  time  is  4.0  microseconds  with  ERASE  WRITE  requiring  a 
.linimum  of  50  milliseconds.  Data  is  stored  by  applying  negative  writing  pulses. 

The  EAROM  module  is  program  controlled  with  I/O  Commands  being  utilized  as  read 
clock,  address  and  function  control,  write  inhibit,  and  data  strobes.  A  pro¬ 
grammed  sequence  is  generated  to  accomplish  the  READ  and  ERASE/WRITE  tasks. 

Special  care  must  be  taken  in  two  areas  to  ensure  proper  operation  of  the  EAROM 
hybrid,  first,  the  read  clock  must  have  a  pulse  width  greater  than  20  micro¬ 
seconds  and  less  than  40  microseconds.  This  clock  should  only  be  active  when 
an  actual  READ  of  data  is  desired  and  is  not  to  be  a  constant  input  frequency. 
Secondly,  the  design  of  the  EAROM  hybrid  is  such  that  one  of  the  two  EAROM 
chips  is  always  enabled  and,  therefore  susceptible  to  any  changes  of  the  Cl  and 
C?  control  signals.  It  is  therefore  recommended  that  these  signals  be  changed 
one  at  a  time  and  that  address  be  changed  only  when  Cl  and  C2  are  in  the  read 
modes. 

The  baseline  system  initializes  Cl,  C2  to  the  READ/HOLD  mode,  sets  EAROM  clock 
low,  and  inhibits  writing  when  the  system  is  activated  with  Power-On-Reset  (POR). 
These  states  should  be  returned  to  at  the  end  of  any  READ,  ERASE,  or  WRITE 
cycle. 

A. 2. 15.5  Dual-Port  Cross-Talk  RAM  A  dual-port  cross-talk  RAM  is  required 
in  each  baseline  primary  and  secondary  subsystem  to  n-ovide  a  "real-time"  data 
access  link  between  processors  (Figure  A-23). 

It  should  first  be  clarified  that  a  dual-port  RAM  is  a  device  with  dual  inde¬ 
pendent  data  and  address  buses  which  allows  simultaneous  asynchronous  access 
to  two  different  data  words.  Possibly  the  best  hardware  example  is  the  Advanced 
Micro  Device  AM  29705  16-wur-d  X  4-bit  dual  port  RAM,  which  allows  access  from 
either  A  or  B  ports,  but  allows  data  writing  only  through  the  B  port,  which  in 
this  case  would  be  dedicated  to  the  primary  control.  Since  CMOS  dual-port  RAMs 
of  higli  enough  density  do  not  yet  exist,  64  14-bit  words  of  the  total  512  RAM 
words  are  partitioned  with  data  mux  and  latches  to  act  like  D.P.  RAM.  A  UART 
coupled  with  a  dedicated  receiver  and  transmitter  interface,  continuously  and 
simultaneously  sends  and  receives  data  to/from  a  UART  on  the  second  processor's 
D.P.  RAM  at  a  125  KHz  bit  rate. 


The  CPU  cannot  write  into  locations  17008  through  17778,  which  are  reserved 
fur  the  dual-port  receiver.  A  single  jumper  change  will  allow  the  CPU  to  write 
into  these  locations.  All  received  words  contain  data  in  the  14  most  signifi¬ 
cant  bits  and  zeros  in  the  2  least  significant  bits.  The  dual-port  receiver 
is  wired  for  reception  of  up  to  32  words.  A  single  jumper  change  will  allow 
up  to  64  words  to  be  received.  While  the  receiver  can  accept  a  flexible  num¬ 
ber  of  words,  the  transmitter  circuitry  constrains  the  dual-port  to  operation 
of  blocks  of  32  words  or  64  words  only.  The  sync  word,  1777740,  will  be  found 
at  the  most  significant  location,  17378  for  the  32  word  case  and  17778  i'or  xhe 
64  word  case. 

Transmi  tter 

All  16  bits  of  all  words  in  the  transmitter  portion  of  the  dual-port  RAM  are 
readable  by  the  CPU  as  well  as  writable.  The  two  least  significant  bits  are 
not  transmitted.  The  circuit  is  connected  for  transmission  of  RAM  locations 
I6OO3  through  16378.  A  single  jumper  change  will  allow  transmission  of  ad¬ 
dresses  16008  through  16778.  The  transmit  circuitry  is  completely  independent 
of  the  sync  word,  outputting  either  blocks  of  32  or  64  words  depending  upon  a 
single  jumper  position.  Continuous  transmission  occurs  with  or  without  the 
presence  of  a  sync  word  in  the  transmitted  block  of  words. 

Any  location  may  contain  the  sync  word,  1777748,  where  the  two  least  signifi¬ 
cant  bits  are  don't  care  bits.  However,  additional  software  constraints  are 
required  for  error  free  dual-port  operation.  After  power-on-reset  there  is  an 
immediate  write  into  the  UART  transmitter  of  the  contents  of  location  1600g. 
This  occurs  before  the  CPU  has  a  chance  to  write  into  the  scratch  pad  memory. 
Since  this  may  result  in  an  initial  inadvertent  sync  word  tronsmission,  however 
unlikely,  initial  acceptance  of  duai-port  data  as  valid  data  must  depend  on 
reception  cf  a  second  sync  word  at  the  proper  position  in  the  received  block 
of  words.  That  is,  dual  port  data  is  not  to  be  considered  valid  until  the 
most  significant  dual  port  receiver  word  contains  the  sync  word.  The  trans¬ 
mitter  must  position  the  sync  word  in  scratch  pad  memory  as  the  most  signifi¬ 
cant  word  to  be  transmitted, 

The  dual -port  UART  is  wired  for  selection  of  an  8  bit  word  followed  by  an  odd 
parity  bit  and  one  stop  bit.  Since  there  are  10  transmitted  bit  periods  per 
output  word,  plus  a  stop  bit  period,  at  a  125K  baud  rate,  a  complete  half  word 
is  transmitted  every  38  s.  The  most  significant  data  bit  is  the  most  signif¬ 
icant  word  half  indicator  tu  the  receiver  circuit.  This  bit  is  not  available 
to  the  CPU, 


Dual-Port  RAM  Addressing 


There  are  3  sources  of  address  to  the  RAM  integrated  circuits:  CPU  address, 
dual-port  receiver  address,  and  dual-port  transmitter  address.  To  accomplish 
address  selection  from  the  3  sources,  TTL  tri-state  drivers  are  used  to  estab¬ 
lish  an  address  bus  which  is  pulled-up  to  Vdd  with  resistors  to  provide  the 
logic  high  voltage  required  by  the  RAM  integrated  circuits  operating  at  10 
volts.  The  address  drivers  are  capable  of  operating  v'ith  the  outputs  pulled 
up  to  10  volts  and  can  also  operate  with  their  inputs  at  10  volts.  The  latter 
requirement  is  imposed  because  the  receiver  and  transmitter  addresses  are 
sourced  by  CMOS  counters  operating  at  Vdd.  Normally  the  tri -state  buffers  are 
in  the  high  impedance  state.  The  scratch  pad  memory  (SPM)  address  decode  en¬ 
ables  CPU  address  to  the  bus.  The  sequential  circuits  associated  with  the 
dual-port  receiver  and  transmitter  can  supply  address  from  their  respective 
counters  during  the  time  toggle  1  MHz  is  at  a  logic  high  state.  This  is  only 
allowed  during  a  gated  system  clock  period  in  which  the  CPU  does  not  use  RAM 
(the  scratch  pad  memory  address  decode  is  not  asserted).  Since  the  RAH  address 
bus  is  driven  by  TTL  devices,  the  logic  high  state  is  achieved  by  passive  pull- 
up.  The  time  required  to  go  from  a  low  state  on  the  address  bus  is  approxi¬ 
mately  one  time  constant  since  the  TTL  driver  actively  drives  the  address  to 
3.5  volts.  Thus,  it  takes  2. OK  ohm  times  120  pf  or  240  ns  to  attain  a  valid 
logic  high  level . 

Detailed  Receiver  Operation 

The  UART  is  the  heart  of  both  the  receiver  and  transmitter  circuitry.  T|ie  UART 
receives  serial  data  from  the  optic  interface  and,  once  a  word  is  assembled  in 
the  parallel  receiver  buffer  register  within  the  UART,  a  high  Data  Ready  flag 
is  provided  on  UART  pin  19.  This  flag  is  synchronized  to  Gated  System  Clock 
by  a  flip-flop.  The  output  of  this  flip-flop  enables  data  to  the  inputs  of 
the  RAM  integrated  circuits  if  the  CPU  does  not  access  SPM  during  that  clock 
period.  The  writing  of  data  into  the  RAM  occurs  only  if  a  most  significant 
word  half  has  been  received,  that  is  if  the  most  significant  received  bit  is 
a  logic  high.  The  signal  that  enables  dual-port  write  into  RAM  is  clocked  into 
a  flip-flop  which  causes  a  counter  to  increment,  thus  preparing  the  receiver 
for  the  reception  of  the  next  word. 

When  the  least  significant  half  of  a  dual-port  word  is  received,  those  7  data 
bits  are  latched  for  subsequent  deposit  into  RAM  upon  the  reception  of  the  most 
significant  half  of  that  dual-port  word.  Thus,  an  entire  14  bit  word  is  changed 
in  RAM  simultaneously. 

The  receiver  is  synchronized  by  reception  of  177  octal  followed  by  reception 
of  377  octal.  This  causes  the  reset  of  the  error  flip-flop,  which  allows  the 
sync  word  and  subsequent  words  to  be  written  into  the  dual-port  RAM,  and  also 


causes  the  receiver  address  counter  to  be  reset  to  zero.  A  flip-flop  stores 
the  occurence  of  a  write  into  the  receiver  dual  port  RAM  so  that  the  receiver 
counter  can  be  incremented  after  each  write.  Incrementation  of  this  counter 
above  the  set  number  of  words  will  cause  the  error  flip-flop  to  set,  preventing 
further  writing  into  the  dual-port  receiver  RAM  until  a  new  sync  word  is  re¬ 
ceived. 

Detailed  Transmitter  Operation 


The  UART  Transmit  Buffer  Register  Empty  signal,  TBRE,  from  pin  22  goes  high  to 
initiate  the  reading  of  the  Oual-Port  RAM  and  then  transmission  of  that  word. 
The  word  taken  from  the  RAM  is  14  bits  long,  with  7  bits  written  into  the  UART 
and  7  bits  stored  in  a  holding  register.  The  MSB's,  the  stored  7  bits,  are 
transmitted  upon  issuance  of  the  next  TBRE  signal.  Upon  the  serial  transmis¬ 
sion  of  a  byte  the  Transmit  Register  Empty  signal,  UART  pin  24  goes  high  and 
increments  the  transmit  address  counter.  The  least  significant  bit  of  this 
counter  is  the  most  significant  word  half  indicator,  TMSH.  The  remaining  bits 
of  this  counter  are  used  as  address  bits  to  the  RAM. 

The  RAEEC  CPU  board  contains  a  serial  transmission  link  that  is  used  to  commun¬ 
icate  with  a  similarly  equipped  CPU.  The  transmission  link  is  interfaced  with 
the  RAEEC  CPU  through  Direct  Memory  Access  (abbreviated  DMA).  That  is,  the 
RAEEC  CPU  merely  sends  data  to  a  portion  of  its  scratch  pad  memory  to  output 
data;  received  information  appears  in  another  block  of  scratch  pad  memory. 

A. 3  RAEEC  Circuit  Trade  Study 

A, 3.1  Introduction 

This  section  of  the  report  provides  detailed  descriptions  of  the  various  cir¬ 
cuitry  considered  in  the  RAEEC  circuit  trade  study.  The  trade  studies  consid¬ 
ered  any  application  of  any  technology  in  production  as  of  1979,  with  specific 
regard  to  the  salient  features,  drawbacks,  circuit  board  area,  and  power  dis¬ 
sipations  of  each  design.  The  final  summary  of  these  trades  is  presented  in 
Section  3.4.3.  Also  refer  to  the  Reliability  Diagram  (Figure  A-24). 

(Information  on  the  derivation  of  the  Reliability  Figures  useo  in  this  section 
is  contained  in  the  "Guide  for  Development"  referred  to  in  Section  XI.) 

A. 3. 2  Analog  to  Digital  Converter 

There  are  several  well  known  analog  to  digital  conversion  techniques  which 
include  the  following: 

a.  The  two-ramp  A/D 


351 


FIGURE  A-24  RAEEC  SYSTEM  RELIABILITY  BLOCK  DIAGRAM  COMPLETED  CIRCUIT  TRADEOFFS 


b.  The  multi-ramp  A/R  (3-ramp,  quad  slope,  etc.) 

c.  Successive  approximation  A/R  (SAC) 

d.  A/D  doubling  converter 

e.  Video  speed  comparator/bit  A/D 

Of  the  five  A/O's  mentioned  above,  only  the  "multi-ramp  A/D"  and  the  "SAC  A/D" 
were  considered  in  these  trades,  since  only  they  can  perform  a  full  12  bit 
conversion  in  under  1.5  milliseconds  over  the  full  military  temperature  range, 
at  a  competitive  price.  A  summary  of  the  A/D  trades  is  shown  in  Table  A-2. 

A. 3. 2.1  Multi -Ramp  A/D  Converter  It  has  been  successfully  demonstrated  at 
Hamilton  Standard,  tnat  a  "smart  multi-ramp  A/D"  can  be  fabricated  using  a  micro¬ 
processor  in  place  of  the  control  logic.  Because  this  A/D  uses  a  microproces¬ 
sor,  it  can  be  programmed  to  perform  the  logic  sequence  described  in  Paragraph 
A. 2. 2,  but  also  can  perform  its  own  input  signal  multiplexing,  input  scaling, 
range  checks,  in  addition  to  fault  isolation.  A  simplified  block  diagram  is 
shown  in  Figure  A-2S. 

A. 3. 2. 2  Successive  Approximation  A/p  The  successive  approximation  type  of 
analog-to-digi tal  converter  can  be  used  to  convert  the  analog  signals  to  a 
digital  format.  This  type  of  converter  requires  a  sample  and  held  unit  to 
maintain  a  constant  input  amplitude  during  the  conversion.  The  conversion  can 
be  made  very  rapidly,  typically  less  than  50/^ sec.  There  are  two  drawbacks  to 
using  this  type  of  conversion  scheme  in  a  control  environment.  A  successive 
approximation  converter  is  very  sensitive  to  noise  on  the  input  signal,  re¬ 
quiring  dedicated  filtering  on  all  input  channels.  Filtering  complicates  the 
dynamics  of  the  system  by  adding  lags  which  must  be  compensated  for  in  the 
control  scheme.  Additional  software  filtering  is  usually  necessary  which  af¬ 
fects  software  overhead  and  required  processor  capability.  It  should  be  pointed 
cut  that  although  this  converter  is  “off  the  shelf",  monolithic,  and  faster 
than  the  multi-ramp  type  converter,  the  additional  sample  hold  circuitry, 
filtering  circuitry,  and  software  filtering  makes  this  system  less  attractive. 

A  simplified  block  diagram  is  shov/n  in  figure  A-26, 

A ,  3 , 3  Resol  ver  to  I'i q i  t a  1  Converter 

A  few  possible  resolver  conversion  concepts  are  presented  for  review: 

a.  f-C  br  idge  to  pulse  wi-Rh  to  DC  to  digital  via  A/D. 

b.  i<-C  bridge  to  pulse  width  to  digital. 


TABLt  A-2  SUMMAR 


BASELINE 
TRIPLE  RAMP 

ALT  #  1  TRIPLE 
RAMP  N-CHANNCL 

ALT  #  2 
SUCCESSIVE 
APPROX. 

#  Of  Components 

27 

24 

18 

#  Of  Solder  Joints 

109 

170 

100 

Board  Area  (In^) 

6.89/5.15* 

6.45/3.96* 

5/2.78* 

Power  (Watt) 

.89 

.97/. 67** 

.54 

Custom  I.C,  Required 

Yes 

No 

No 

Digital  Scaling 

No 

Yes 

No 

Mi'x  Addressing 

No 

Yes 

No 

Self  Test 

No 

Yes 

No 

Drift  Correction 

No 

Yes 

No 

Range  Check 

No 

Yes 

No 

Inherent  Filtering 

Yes 

Yes 

Yes 

*  Improvement  with  leadlesc  carriers. 

**  Power  reduction  using  CMOS  /i  Processor. 


354 


OS  MUX 


FIGURE  A-25  MULTI  —RAMP  A/0  CONVERTER  ALTERNATE  DESIGN  #1 


SIGNALS 


E-  5967 


FIGURE  A-26  SUCCESSIVE  APPROXIMATION  A/D  ALTERNATE  DESIGN  #2 


c.  SIN  Q  and  COS  9  synchronous  demodulation  to  DC  followed  by  A/D. 

d.  SIN  0  and  COS  9  precision  rectification  to  DC  followed  by  A/D. 

Of  the  four  conversion  techniques  mentioned  above,  the  second  and  fourth  were 
considered  in  these  trades,  since  they  will  meet  the  six  minute  accuracy  re¬ 
quirement  with  minimum  hardware.  A  summary  of  the  R/D  trades  is  presented  in 
Table  A-3  at  the  end  of  this  section. 

A. 3. 3.1  R-C  Bridge/Pulse  Width  to  Digital  R/P  The  operation  of  this  resolver 
to  digital  converter  is  identical  to  the  baseline  RAEEC  design  described  in 
Section  A. 2. 3  with  one  exception:  instead  of  the  resulting  pulse  width  gating 

precision  2  MHz  clocks  into  a  custom  LSI  chip,  a  standard  programmable  interval 
timer,  LSI  8253,  is  used.  This  concept  is  referred  to  as  alternate  design  *1 
and  is  shown  in  Figure  A-27. 

A, 3.3.2  Precision  Rectification  R/D  This  type  of  R/D  converter  is  shown  as 
alternate  design  #2  in  Figure  A-28.The  resolver  sine  and  cosine  inputs  are  time 
multiplexed  through  a  voltage  follower,  and  then  converted  to  a  "0  to  10  Vdc'' 
signal  by  a  precision  rectifier.  This  DC  output  is  then  converted  to  digital 
by  an  A/D,  which  in  this  case  is  the  "Smart  Triple  Ramp"  A/D.  This  smart  A/D 
has  the  advantage  over  other  A/D's  in  that  it  can  control  its  own  resolver  in¬ 
put  multiplexing,  perform  its  own  built-in  test,  provide  offset  error  correc¬ 
tion  if  required,  and  provide  fault  isolation. 

A . 3 . 4  Resolver  Excitation 

In  the  alternate  design  trade  studies,  two  concepts  for  resolver  7  Vrms  sine- 
wave  excitation  were  considered: 

a.  Custom  monolithic  design  of  the  baseline  excitation  circuit. 

b.  State-of-the-art  improvements  to  the  baseline  design. 

Since  only  one  or  possibly  two  of  these  circuits  are  used  per  channel,  it  was 
considered  uneconomical  to  convert  this  circuit  to  a  custom  chip.  National 
Semiconductor  is  manufacturing  commercial  monolithic  devices  which  with  the 
addition  of  a  few  resistors  and  capacitors  can  be  made  into  bandpass,  band 
elimination,  butterworth,  etc.,  filters.  It  is  conceivable  that  one  of  these 
components  would  replace  the  two  stage  tuned  filter  n  the  1980's,  once  it 
became  a  militarized  component. 

The  only  improvement  which  was  feasible  in  the  RAEEC  time-frame  was  to  replace 
the  Motorola  hybrid  MC1538  with  a  monolithic  Harris  HA2635  driver  as  shown  in 
Figure  A-29. 


357 


i 


#  Of  Components 


#  Of  Solder  Joints 


Board  Area  (In^) 


Power  (Watt) 


Custom  I.C.  Required 


Drift  Correction 


Range  Check 


Digital  Scaling 


Mux  Addressing 


Self  Test 


BASCLINE 
RESOLVER  TO 
DIGITAL  CONVERTER 

ALTERNAIE  #  1 

R/D  CONVERTER 

ALTERNATE  #  2 
R/D  CONVERTER 

32 

26 

29 

195 

102 

225 

- 

8.36  In2/5.94* ** 

5.00/4.12  In2* 

9.71/4.69  In2 

.33 

.415 

1.08/. 8* 

Yes 

No 

No 

No 

No 

Yes 

No 

No 

Yes 

No 

No 

Yes 

No 

No 

Yes 

NO 

No 

Yes 

*  Improvement  using  leadless  carriers. 

**  Improvement  using  CMOS. 


358 


E-6030 


FIGURE  A-28  RESOLVER  TO  DIGITAL  CONVERTER  (ALTERNATE  DESIGN  #2) 


A, 3. 5  Torque  Motor  D/A's  and  Drivers 

This  circuit  is  capable  of  driving  a  torque  motor  with  an  average  DC  current 
of  40  milliamperes  using  a  pulse  width  modulation  technique.  Positive  or  neg¬ 
ative  pulses  of  40  msec  at  a  frequency  of  50  Hz  drive  the  torque  motor.  The 
duty  cycle  can  vary  from  0  to  100%  with  a  granularity  of  256  increments.  A 
microprocessor  controls  8  torque  motor  driver  circuits.  The  microprocessor's 
task  is  to  turn  "on"  and  "off"  either  a  +14  volt  switch  or  a  -14  volt  switch 
at  50  Hz  at  the  proper  pulse  width.  All  inputs  and  outputs  of  the  micropro¬ 
cessor  are  buffered  by  latches  because  of  the  number  of  required  I/O  signals. 

The  torque  motor  controller  is  a  stand-alone  circuit  that  is  a  slave  to  the 
central  processor  (Figure  A-30  and  Table  A-4). 

A. 3. 6  Solenoid  Drivers 

There  are  two  alternate  solenoid  driver  designs;  alternate  fl  ,  corresponds 
with  the  "constant  voltage  alternator",  and  alternate  #2  corresponds  with  the 
"constant  current  alternator"  power  system. 

A. 3. 6.1  Alternate  Assign  #1  Solenoid  control  data  from  the  control  CPU  is 
stored  in  a  TTL  register  (SH541S164).  This  register  will  control  8  individual 
solenoids.  When  the  output  of  the  register  is  a  logic  "1"  (5  volts),  the  sol¬ 
enoid  will  be  activated  by  the  power  booster  ULN-2804.  The  solenoid  is  powered 
by  2C  preregulated  volts  from  the  power  supply.  The  output  state  of  the  sole¬ 
noid  IS  monitored  by  a  LM148  for  fault  detection  (Figure  A-31). 

A. 3. 6. 2  Alternate  Design  #2  Solenoid  control  data  is  loaded  from  the  main 
CPU  into  a  TtL  holding  register  (SN54L5164).  This  register  is  capable  of  con¬ 
trolling  8  individual  torque  motor  circuits.  The  output  of  the  register  con¬ 
trols  a  CMOS  switch  (Hl-201).  This  switch  applies  current  to  the  power  ampli¬ 
fier,  LM195,  which  activates  the  solenoid.  The  LM148  op-amp  provides  solenoid 
state  information  for  fault  detection  (Figure  A-32). 

A. 3. 7  Pressure  Sensors  and  Circuitry 

As  explained  in  Section  3. 2, 4. 4,  a  full  duplication  of  pressure  sensors  would  not 
be  practical  from  a  reliability  enhancement  standpoint.  A  tradeoff  study  was 
carried  out  to  determine  if  it  is  feasible  to  replace  the  twelve  single  pres¬ 
sure  sensors  with  six  quasi-redundant  pressure  sensor  packages  without  signif¬ 
icantly  degrading  RAEEC  reliability.  The  most  feasible  configuration  appears 
to  be  a  pressure  sensor  with  single  cylinder  and  coils,  but  provided  with  dual 
oscillator  circuits,  PROMs,  and  temperature  sensors.  This  study  is  described 
in  Section  3.2.4. 


362 


CLOCK 


TABLE  A-4  SUMMARY  TORQUE  MOTOR  DRIVERS 


BASELINE 

TORQUE  MOTOR  DRIVER 

ALT  #  1 

TORQUE  MOTOR  DRIVER 

#  Of  Components 

175 

82 

#  Of  Solder  Joints 

1302 

741 

Board  Area  (In^) 

43.08/30.5* 

32.8/12.8* 

Power  (Watt) 

7.48 

5.78/3.712** 

Self  Test 

No 

Yes 

*  Area  saving  by  use  of  leadless  carriers, 

**  Power  saving  by  use  of  CMOS. 


SOLENOID 


I 

U. 


figure  A-3 


V  V 


V  V 


J 


(CONSTANT  VOLTAGE  ALTERNATOR) 


E-5686 


1  SOLENOID  DRIVER  ALTERNATE 


SOLENOID 


(CONSTANT  CURRENT  ALTERNATOR) 


E-5684 


FIGURE  A--32  SOLENOID  DRIVER  ALTERNATE  ^2 


366 


The  trade  studies  involved  five  oscillator  circuit  confiqurations  which  per¬ 
form  identically  as  described  in  Section  A. 2. 7,  with  one  exception;  since 
six  sensors  are  utilized  by  two  RAEEC  channels,  each  sensor  and  electronics 
now  comprise: 

1.  Two  independent  1N4850  diodes. 

2.  Two  independent  sensor  characterization  PROMs. 

3.  Dual,  independently  powered,  fault  tolerant,  oscillator  circuitry. 

The  concept  of  dual  oscillator  electronics  is  shown  in  Figure  A-33.  Note  that 
with  the  isolation  resistors  (R)  and  capacitors  (C),  the  surviving  oscillator 
circuit  will  maintain  proper  sensor  oscillations. 

A. 3. 7.1  Oscillator  The  six  different  oscillator  circuits  are  summarized 
in  fable  A-5.  They  employ  varying  degrees  of  thick  film  resistor  networks, 
quad  op-amps,  discretes,  and  custom  monolithic  circuitry. 

^•3.7.2  Sensor  Frequency  to  Digital  Ccnverter  The  proposed  frequency  to 
digital  conversion  circuitry  for  the  pressure  sensors  requires  two  thirds  of 
a  universal  counter  chip  and  one  digital  multiplexer.  The  multiplexer  will 
gale  one  of  two  channels  to  the  universal  counter  chip.  The  universal  counter 
chip  will  be  configured  as  a  divide  by  N  period  counter  which  will  be  used  to 
gate  a  high  frequency  clock  into  another  sixteen  bit  counter,  also  contained 
on  the  N-channel  counter  chip  (Figure  A-34), 

A. 3.8  Low  Level  DC  Interface 

The  proposed  low  level  interface  multiplexes  four  low  level  signals  into  a 
high  impedance  instrumentation  amplifier.  The  signals  are  amplified  to  a  O-IOV 
level  and  multiplexed  along  with  the  TBT  signal  into  the  analog-to-digi tal 
converter  buffer.  The  buffer  provides  a  higher  current  drive  for  the  A/D  con¬ 
verter.  The  circuitry  is  reduced  by  using  multiplexers  having  internal  pro¬ 
tection  (Figure  A-35).  Note  that  the  primary  RAEEC  channel  requires  two  of 
these  interfaces,  while  the  secondary  requires  only  one. 

A. 3. 9  Resolver  Multiplexer 

This  resolver  multiplexing  scheme  employs  an  improved  CMOS  technology  known  as 
dielectrically  isolated  CMOS,  The  selected  multipk,,ing  devices  have  internal 
protection  which  makes  possible  the  elimination  of  considerable  external  pro¬ 
tective  hardware  (Figure  A-36), 


367 


E-5677 

FIGURE  A-33  PRESSURE  SENSOR  CIRCUITRY 


table  A-5  raeec  sensor  trades 

_  (PER  SENSOR) 


CIRCUIT  DESIGN 

#  PARTS 

POWER 

AREA 

RELIABILITY 

SCORE 

Baseline 

32  +  5.5 
(37.5) 

0.578 

7.63 

246 

Navy  AP  Sensor 

Alt  1 

21  +  3.65 
(24.65) 

0.555 

3.73 

300 

EPR  Sensor 

Alt  2 

19  +  3.65 
(22.65) 

0.555 

3.57 

300 

Custom  Sensor 

i2l 

Alt  3 

9  +  0 

0.500 

1.89 

264 

Hybrid  Navy 

A  P  Sensor 

Alt  4 

8.5  +  3.65 

0.555 

2.44 

215 

Hybrid  Gate  Array 
I2l 

Alt  5 

_ 

1  Hybrid 

2  Caps 

(40  Pin  Pkg) 

0.500 

3.83 
(No  LCC) 

205 

FIGURE  A-34  SENSOR  FREQUENCY  TO  DIGITAL  CONVERSION 


FIGURE  A-35  LOW  LEVEL  INTERFACE 


LINES 


3  COMP  .  355  W 


E-  5821 


FIGURE  A-36  RESOLVER  MULTIPLEXER 


37? 


A. 3. 10  Discrete  Signal  Conditioner  Circuit 

The  proposed  signal  interface  inputs  three  discrete  switch  closures,  a  LOO 
detector,  and  a  serial  data  stream  transmitting  the  mach  number.  The  discrete 
switch  closures  are  conditioned  with  a  diode  resistor  network  that  provides 
well  defined  logic  levels  to  the  I/O  ports  of  the  8041  universal  peripheral 
interface.  The  8041  is  also  used  to  read  the  serial  data  stream  and  transfer 
the  mach  number  to  the  main  CDU.  Tlie  LOD  detector  output  is  rectified  and 
used  to  charge  a  capacitor  which  is  monitored  by  the  A/0  converter  to  deter¬ 
mine  if  a  "light  off"  condition  is  present  (figure  A-37). 

A . 3 . 1 1  Frequency  to  Digital  Speed  Interfaces 

The  proposed  speed  circuit  is  an  8253  programmable  counter  to  convert  Nl  and 
Np  frequency  to  digital  information.  The  counter  is  configured  as  a  divide 
by  fi  counter  which  is  used  to  enable  a  high  frequency  clock  into  a  16  bit 
counter  also  contained  on  the  8253.  The  signals  are  conditioned  by  using  a 
quad  comparator  that  converts  to  the  proper  logic  levels  internally.  The  com¬ 
parators  are  provided  with  hysteresis  to  minimize  the  effects  of  noise  on  low 
frequency  conversions.  Diode  protection  is  also  provided  to  protect  the  com¬ 
parator  inputs  fiom  overvoltage  transients  (figure  A-3S). 

A. 3. 12  Turbo  Pumo  Speed  Interface 

The  proposed  turbine  pump  speed  interface  inputs  a  pulse  train  from  a  magnetic 
pickup.  The  frequency  of  the  pulses  is  proportional  to  the  turbine  pump  speed. 
The  pulses  are  converted  to  logic  levels  with  a  comparator  and  fed  into  a  uni¬ 
versal  counter  chip,  This  chip  is  programmed  to  count  a  specified  number  of 
periods  and  gate  a  high  frequency  clock  into  a  self  contained  counter.  The 
final  count  can  be  read  by  the  CPU  to  determine  turbine  pump  speed  (Fig¬ 
ure  A-39) . 

A, 3. 13  Fault  Detection  Locic 

The  primary  channel  receives  four  fault  signals  from  the  secondary  channel. 

The  secondary  channel  also  receives  four  fault  signals  from  the  primary  chan¬ 
nel,  A  buffer  and  peripheral  resistors  are  used  for  each  signal  path  to  itt- 
terface  the  two  channels.  The  fault  signal  paths  for  both  channels  are  of  a 
CMOS  design  with  the  constraint  that  no  input  signals  can  be  present  when  the 
system  is  not  energized.  The  power  supplies  from  the  two  cliannels  are  OR'ed 
and  then  fed  to  both  fault  detection  logic  circuits.  This  ensures  that  both 
fault  detection  circuits  will  be  powered  if  either  channel  is  powered,  thus 
satisfying  the  constraint  that  no  input  signals  can  be  present  when  the  system 
is  not  energized  (figure  A-40). 


373 


FIGURE  A-38  SPEED  INTERFACE 


3 


FAULT  SIGNALS 
FROM 

SECONDARY  CHANNEL 


note:  the  circuit  is  repeated  for  the  opposite 

DIRECTION  (FROM  PRIMARY  TO  SECONDARY) 


FIGURE  A-40  FAULT  DISCRETES 


A, 3. 14  Power  Supply  System 

A. 3. 14.1  Alternate  ^1  The  power  source  is  a  voltage  controlled  "flux 
switching"  type  alternator.  Input  power  is  rectified  and  capacitor  filtered. 

The  rectified  voltage  (20  Vdc)  is  sensed  and  compared  with  a  reference.  The 
resultant  error  signal  is  amplified  and  used  to  control  the  field  of  the  al¬ 
ternator,  thus  maintaining  a  constant  20  Vdc  from  the  alternator.  The  +20V  is 
used  to  power  all  solenoids,  the  +15V  regulator  and  the  +5V  regulator.  The 
+5V  regulator  is  a  pwm  switching  type  regulator.  The  +5V  powers  all  of  the 
logic  and  memory  circuits.  The  +15V  regulator  is  a  series  monolithic  regula¬ 
tor.  The  +15V  supplies  the  positive  rail  for  analog  circuits  Li  *orque  motors^ 
the  +10V  reference,  and  an  inverter  from  which  negative  voltages  ■  developed. 
The  inverter  is  operated  in  sync  with  the  +5V  switching  regulator  cc  preclude 
any  beat  effects.  Inverting  action  is  accomplished  through  a  transformer  with 
transistor  push-pull  drive.  -15V,  and  any  other  negative  voltages  that  may 
be  desired,  are  derived  from  the  transformer  secondary.  -15V  supplies  the 
negative  rail  for  analog  circuits  and  torque  motors. 

A  comparator  monitors  +5  for  overvoltage  and  has  authority  to  decrease  the 
+20V  bus  if  an  overvoltage  condition  is  detectea.  Three  additional  compara¬ 
tors  monitor  +5  for  low  voltage  and  +10  for  high  or  low  voltage.  All  four 
comparators  have  authority  to  generate  a  power  supply  reset  (PSR)  signal  if 
voltage  is  out  of  tolerance  (Figures  A-41  and  A-42  and  Table  A-6). 

A. 3. 14.2  Alternate  #2  The  power  source  is  a  30  permanent  magnet,  consuant 
current  alternator!.  TiTput  power  is  rectified  and  converted  to  two  constant 
voltages  (+14  and  -14)  by  two  switching  shunt  regulators.  These  are  "nondis- 
sipative"  regulators.  They  control  the  voltage  by  pulse-width  modulating  the 
current.  Input  current  is  3,3  to  4.0  ADC.  Current  not  required  by  the  load 
is  switched  to  ground  (shorted  out).  A  bank  of  four  capacitors  supplies  the 
load  while  the  input  is  shorted.  When  the  short  is  removed,  the  capacitors 
are  recharged  through  a  clamp  diode. 

+  14V  is  utilized  by  the  effectors  and  analog  circuits,  +5V  for  the  logic  and 
memory  circuits  is  derived  by  a  monolithic  series  regulator  powered  off  the 
+14V  bus.  +10V  for  the  analog  circuits  is  developed  from  +14V  by  means  of  a 
precision  reference  device. 

A  comparator  monitors  +5  for  overvoltage  and  has  authority  to  decrease  the 
+14V  regulator  if  an  overvoltage  condition  is  detected.  Three  additional  com¬ 
parators  monitor  +5  for  low  voltage  and  +10  for  high  or  low  voltage.  All  four 
comparators  have  authority  to  generate  a  power  supiJy  reset  (PSR)  signal  if 
voltage  is  out  of  tolerance  (Figure  A-43  and  Table  A-6). 


376 


+  20  V 


POWER  SUPPLY  BLOCK  DIAGRAM  ALTERNATE  ^1 


FtGURE  A-42  A/C  INTERFACE,  POWER  SUPPLY  SYSTEM 


TABLE  A-6  POWER  SUPPLY  REQUIREMENTS 

--  - 

_  Power  Supply 

Load  Rating 

Baseline 

Alternate 

Alternate 

Design 

#2 

#1 

45V 

.65A 

.90A 

.90A 

4lOV 

.45A 

.01 5A 

.015A 

414V/415V 

1.90 

2.08A 

.30A 

-14V/-15V 

3. 00  A 

3.  OCA 

.40A 

420V 

- 

- 

3.10A 

Typical  Power  Dissipation^ 


Prime 


Baseline 

Design 

Design  HZ 

Design 

Input  Bridge 

7.00W 

7.CCW 

3.40W 

Alt.  Volt.  Control  Crt. 

- 

- 

3.40W 

+15V  Series  Reg 

- 

- 

4.68W 

Inverter  &  -15  Supply 

- 

- 

1 .  SOW 

+14V  Shunt  Reg 

35. SOW 

4.40W 

- 

-14V  Shunt  Reg 

41.30W 

4.40W 

. 

410V  Reg 

1.60W 

O.lOW 

O.lOW 

+5V  Reg 

5.20W 

7.20W 

1.75W 

PSR/OV 

.low 

.low 

O.lOW 

LOO  in  Standby 

0 

.low 

O.lOW 

Power  Supply  Sub  Total 

“5O0lT 

23.3C)W 

EEC  Digital 

Analog 

Drivers  (Series  Prop) 
Total  Non  P/S 
\  Total  EEC 

6.1 

5.95 

3.0 

15.05W 

T0377W 

4.0 

5.75 

3.0 

12.75W 

TTOT 

4.0 

6.15 

3.35 

13. SOW 

Secondary 

105. 75W 

36.05W 

29.03W 

Grand  Total 

211. SOW 

72. low 

5S.06W 

*Assumptions  used  in  typical  power  dissipation  above: 


381 


TABLE  A-6 


Typical  Power  Dissipation*  (Continued) 


14V  Solenoids  (?.4A 
20V  Solenoids  @.3A 
28V  Solenoids  0.2A 
Torque  Motors  .05A/.15A 
Analog  Load  ,2A/.2A 
+10V  Load 
+5V  Load 


Basel ine 

Design  Alternate  #2  Alternate  #1 


1  1 

0  0 

2  2 

+14V/.14V  +14V/-14V 

+14V/-14V  +14V/-14V 

.35A  ,015A 

.65A  ,8A 


0 

3 

0 

+15V/-15V 

+15V/-15V 

..015A 

.8A 


382 


A. 3. 15  Centrdl  Processor 


The  RAEEC  Central  Processor  is  seen  as  a  complex  function  comprising  the  Pro¬ 
cessor,  the  RAM,  the  ROM,  the  test  DART,  and  the  Dual-Port  RAM.  The  following 
paragraphs  describe  the  detailed  trade  studies  performed  on  eacii  of  the  afore¬ 
mentioned  five  functions. 

A. 3. 15.1  Processor  Trades  The  study  was  divided  into  detailed  studies  of 
three  different  computer  architectures  which  could  be  designed  into  fuel  con¬ 
trols.  They  are: 

a.  A  fault-tolerant  "51SD"  machine  (Figure  A-44). 

b.  A  "Multiple  Instruction  Multiple  Data"  (MIMD)  parallel  processing 
machine  comprising  two  or  more  off-the-shelf  16-bit  microprocessors, 
each  ju. -processor  with  its  own  RAM  and  ROM  (Figure  A-45). 

c.  A  "Single  Instruction  Single  Data"  (SISD)  or  "single  Instruction 
Multiple  Data"  (5IMD)  simplex  machine.  (Figure  A-46). 

It  was  first  determined  that  each  of  the  above  architectures  met  the  instruc¬ 
tion  throughput  requirements  of  at  least  450  thousand  operations  per  second 
(450  KOPS).  This  benchmark  was  generated  from  a  "Fuel  Control  Instruction  Mix" 
(based  on  Hamilton  experience),  operating  at  a  18  millisecond  loop  update  time, 
with  2.7ms  spare. 

A  detailed  parts  list  was  generated  for  each  of  the  "blocks"  of  the  three 
block  diagrams  so  that  area,  power  dissipation,  number  of  components  and  re¬ 
liability  improvement  could  be  traded  off  on  a  block  by  block  basis. 

Triple  Redundant  Machine  Architecture 

The  fault-tolerant  TRD  macnine  architecture  shown  in  Figure  A-47  is  based  on  the 
"2901"  bit  slice,  since  the  "2901"  is  well  known  in  the  military  arena.  In 
order  to  provide  a  parts  list  for  this  system,  a  design  for  a  simple-simplex 
2901  machine  was  generated  and  then  scaled  up  by  a  factor  of  4.12.  This  ratio 
was  determined  from  the  210  components  utilized  by  the  G.E,  self  diagnosing 
fault  tolerant  microprocessor  (Reference  lO)  (SDFTP),  divided  by  51  components 
required  for  a  simple-simplex  "2901"  machine;  i.e.,  210/51  =  4.12.  In  this 

way,  a  12.39  in^  11.65  watt  simplex  machine  was  ratioed  into  a  51  in^  47.96 
watt  TRD  machine. 


384 


INTERFACES  INTERFACES  D.P.  RAM 


TEST/DIAGNOSTICS 
DATA  LINK 


E~2Z3E 


FIGURE  A-45  RAEEC  CPU  BLOCK  DIAGRAM  (FOR  A  PARALLEL  MULTIPLE 
INSTRUCTION  MULTIPLE  DATA  MACHINE  ARCHITECTURE) 


386 


FIGURE  A-46  RAEEC  CPU  BLOCK  DIAGRAM  (FOR  SINGLE  INSTRUCTION  SINGLE  DATA 
OR  "SINGLE  INSTRUCTION  MULTIPLE  DATA"  MACHINE  ARCHITECTURE) 


387 


STatutDiTi  Ttkro<nnfucTio»' 


Another  fault  tolerant  machine  worthy  of  mention  is  the  "USAF  Fault  Tolerant 
Computer"  which  was  presented  at  the  1978  Government  Microcircuits  Applications 
Conference  (GOMAC).  This  machine,  shown  in  Figure  A-48,  comprises  four  proces¬ 
sors,  two  of  which  are  power  strobed  off,  one  which  is  running  the  system  control 
task,  and  one  which  is  monitoring  the  controlling  processor.  Even  though  this 
"machine"  chose  low  power  SOS  CMOS  for  its  technology  (which  provided  a  RAD- 
hard  process),  it  wasn't  seriously  considered  for  the  RAEEC  task,  due  to  its 
high  parts  count  and  relatively  slow  200  KOPS  instruction  rate.  (This  rate 
might  be  substantially  higher  for  a  fuel  control  instruction  mix,  however). 

Multiple  Processor  Architecture 

The  multiple  processor,  "Multiple  Instruction  Multiple  Data"  architecture 
shown  in  Figure  A-45,  is  seen  as  an  extremely  viable  alternative  to  systems 
houses  which  are  unable  to  locate  a  military  single  chip  processor  with  enough 
throughput.  The  parts  lists  for  this  system  were  based  on  two  Intel  8086  15- 
bit  machines,  since  it  is  expected  that  the  8086  will  eventually  become  full- 
MlL-Spec  devices,  (preliminary  test  data  shown  in  Figure  A-49  indicates  full  mil 
possibilities).  It  can  be  shown  that  an  8086  executing  a  fuel  control  instruc¬ 
tion  mix,  will  conservatively  execute  at  approximately  325  thousand  operations 
per  second.  Since  approximately  40%  of  the  fuel  control  program  is  dedicated 
to  I/O  handling,  it  appears  that  one  good  architecture  partition  is;  A  dedi¬ 
cated  1/0  processor  handling  40%  of  the  total  task,  and  a  dedicated  control 
processor  handling  60%  of  the  total  task.  (This  architecture  is  also  known 
as  "loose  coupled  parallel  processing",)  In  order  to  indicate  the  effective 
performance  of  two  16-bit  -processor,  the  following  scenario  is  developed: 

Desired  throughput  goal:  450  KOPS  and  18ms  loop  update  time,  which  allows 
8100  words  to  be  executed  in  18  milliseconds. 

If  there  is  a  40/60  split  in  task,  plus  an  overhead  of  100  words  for  intra- 
/I -processor  communications,  then  I/O  =  8100  X  .4  +  100  =  3340  words 
for  the  I/O  processor.  Control  =  8100  X  .6  +  100  =  4960  words  for  the 
controls  processor.  Since  most  of  the  1/0  software  comprises  "LOAD", 

"ADD",  "STORE"  and  "MOVE"  instructions,  it  can  be  assumed  that  a  "GIBSON- 
MIX"  of  instructions  will  be  executed,  and  for  the  sake  of  argument  let 
us  assume  that  this  "pt -P"  can  execute  this  mix  at  a  400  KOP  rate.  Then 
an  I/O  cycle  can  be  executed  in  3340/400  KOFS  or  8,35  milliseconds. 

It  is  expected  that  the  controls  portion  of  the  fuel  control  program  will 
look  more  like  the  NASA  mix  of  80%  short  instructions,  and  20%  multiply, 
divide  and  other  long  instructions.  Again  for  the  sake  of  argument  let 
us  say  that  this  "/i-P"  can  execute  this  mix  at  a  300  KOP  rate.  Then  a 
control  cycle  can  be  executed  in  4960/300  KOPS  or  16.53  milliseconds. 


389 


TYPE 

DATA  FORMATS 


ADDRESS  MOOES 


CONTROL 

REGISTERS 


INTERRUPTS 

MEMORY 

THROUGHPUT 


GENERAL-PURPOSE,  STORED  PROGRAM,  PARALLEL, 
DIGITAL  COMPUTER 
FIXED  POINT 

32-BIT  BINARY  2  S  COMPLEMENT  INTEGER 
FLOATING  POINT 

24-BIT  BINARY  2  S  COMPLEMENT  MANTISSA 
8-BIT  BINARY  2  S  COMPLEMENT  EXPONENT 
95,  INCLUDING.  INTEGER,  FLOATING  POINT  AND 
VECTOR 

REGISTER-REGISTER  INDEXED  AUTO  INCREMENT 
DIRECT 

IMMEDIATE  INDEXED  AUTO  DECREMENT 

DIRECT 

direct  INDEXED  DIRECT 

INDIRECT  INDEXED  INDIRECT 

CENTRAL  MICROPROGRAMMED  CONTROL  UNIT 
EIGHT  GENERAL-PURPOSE  32-BlT  REGISTERS  THAT 
SERVE  AS  ACCUMULATORS,  INDEX  REGISTERS, 

OR  ADDRESS  POINTERS 
10  INTERRUPT  LEVELS 

UP  TO  60K  WORDS  OF  ADDRESSABLE  PROGRAM 
MEMORY 

200K  OPERATIONS  PER  SECOND  (SPECiFiED  MIX) 


E-2649 


FIGURE  A-48  FAULT  TOLERANT  SPACEBORNE  COMPUTER  (FTSC) 
CHARACTERISTICS  AND  BLOCK  DIAGRAM 


390 


. if , , ,1  *■  i 


In  the  above  discussion,  it  was  shown  that  two  microprocessors  could  perform 
their  tasks  in  parallel  in  under  18  milliseconds;  i.e.,  the  I/O  machine  can 
perform  its  task  in  8.35ms,  and  the  controls  machine  in  16.53ms.  In  order  for 
16.53ms  to  become  the  worst  case  loop  del  a)/,  the  I/O  machine  must  be  synchro¬ 
nized  to  the  controls  machine,  otherwise  the  worst  case  loop  delay  could  result 
in  the  sum  of  the  two  processing  loops,  16.53  plus  8.35  =  24.88.  If  the  I/O 
ju -processor  is  properly  synchronized,  then  the  resulting  effective  throughput 
could  be  8100  words/16.53  or  490  thousand  operations  per  second. 

The  "Full-Up"  twin  8086  parts  list  indicated  that  the  two  processors  only  dis¬ 
sipated  approximately  6  watts;  however,  in  order  to  achieve  the  required  per¬ 
formance,  several  high  power  LSI  and  MSI  devices  were  necessary  to  make  the 
processor  compliment  of  RAM,  ROM,  bus  controllers,  etc.,  operate  properly.  A 
second  design  was  then  completed  which  had  the  objective  of  minimizing  support 
LSI,  and  maximizing  the  utilization  of  CMOS  and  low  power  Schottky  MSI.  Table 
A-7  indicates  the  resultsof  these  two  trades;  the  utilization  of  off  the  shelf 
low  power  logic  resulted  in  a  reliability  improvement,  but  unfortunately,  also 
resulted  in  a  marked  degradation  in  performance. 

SISD  Processor 

The  field  of  Single  Instruction  Single  Data  (SISD)  military  16-bit  micropro¬ 
cessors  which  meet  the  450  KOPS  throughput  requirements  at  the  time  of  this 
writing  are  limited  to  the  three  known  bit-slice  machines,  and  to  the  special 
purpose,  system  house  proprietary,  custom  machines, 

Bit-Slice  Processor 

Of  the  three  well  known  bit  slice  machines  (Intel  2-bit  slice,  MMI  4-bit  slice 
and  AMD's  4-bit  slice),  th<>  most  widely  accepted  and  multiple  sourced  is  the 
AMD  2900  4-bit  slice  family.  The  "minimal"  machine  shown  in  Figure  A-50  com¬ 
prises  51  components  and  dissipates  approximately  11.7  watts,  but  easily  meets 
the  450  KOPS  throughput  requirement.  In  fact,  this  machine  will  probably  ex¬ 
ecute  a  fuel  control  instruction  mix  in  excess  of  700  KOPS  in  this  minimal 
configuration,  utilizing  MOS  RAM  and  ROM.  Please  refer  to  the  summary  shown 
in  Table  A-8. 

Custom  Processor 

Several  system  houses,  including  Hamilton  Systems  Division  of  Hamilton  Stanoard, 
have  been  forced  into  the  development  of  their  own  proprietary  custom  processors 
in  order  to  provide  a  military,  competitive,  minimum  component,  low  power 
machine  with  adequate  performance.  Hamilton  Standard  has  designed  its  own 
CMOS  Silicon-on-Sapphire  processor  to  meet  the  system  needs  of  the  1980 's  as 


TABLE  A-7  RAEEC  MIMD  TRADES 


SINCE  IT  MILL  NOT  MEET  THE  450  KOP  MINIMUM 


TABLE  A-8  SINGLE  INSTRUCTION  SINGLE  DATA  CPU  DESIGN  TRADEOFFS 


CD 

CM 

1 

J 

.  -41 

iA 

u 

n 

1 

E 

O 

■3 

LlI 

u 

CL. 

♦ 

>- 

s 

♦ 

u 

< 

1  J 

s  I 

♦ 

c 

oo 

o 

o  o 

a\ 

a. 

o. 

o 

T’ 

CO 

o 

>. 

t- 

• 

4-> 

* 

-- 

CM 

o 

Z  UJ 

-  -_ 

■  3 

S  LU 

w 

o 

s 

CD 

S  z 

o 

Ck 

o 

00 

I 

•J  i-t 

1 

uo 

r** 

z  H- 

< 

iT) 

CM 

CM 

s 

A 

CD 

o 

ac  bo 

00 

• 

• 

«J  1/) 

■3 

00 

z 

ro 

o 

00  UJ 

i 

M  l-H 

z 

LJ 

s:  CO 

LJ 

o  «c 
o 

o\  >. 

CM  0£ 

.  . 

o 

S  3e: 

O  LU 

U.  £ 

E 

S  (/) 

CSl 

♦ 

3 

4( 

« 

E 

D.  e 

CO 

CO 

*1“ 

Q. 

X 

z  o 

« 

o 

fO 

S  O 

00 

uo 

E 

CD 

ro 

z 

CM 

—  - 

oo 

CO 

X 

CM 

CM 

o 

UJ 

CO 

CM 

z 

c£ 

CM 

LU  O 

z 

o 

A 

ro 

•J  ^ 

o 

* 

CO 

<  >- 

CO 

Z  -J 
t-H  UJ 
<  > 

«/>  >— 

OS  CO  »- 
LlI  O  < 

! 

>— •  _i 

!  = 

DC  UI  UJ 

: .” 

OC  CC  OC 

:  -V 

§ 

1 

•c  < 

■'  —■. 

Q. 

E 

O  LU 

oO  Z 

z 

* 

X 

uo 

bO  Q  ^- 

o 

^  1 

!9 

bO  LU 

VO  ! 

E 

UJ  UJ 

U>  CSJ 

« 

1 

o. 

•J  Ck  CD 

00 

o 

X 

o 

O  OO 

CO 

CO 

<x  o 

CM 

LU 

LU  LU 

CM 

CM 

>- 

o 

•K 

^  UI  1— 

_l  CO 

• 

a> 

• 

Z 

1  x. 

Lul  Z 

00 

L9  U  Z 

CM 

z  ^  ^ 

< 

CQ 

z  ^ 

oo 

Z  X  t/) 

O  I-I 

Z  Z  1- 
LU  Z 

- 

Z  Z  D- 
LU  O  Z 

i 

>  Z  CD 

h- 

z 

o 

o  o  z 

z 

o 

HH 

QC  Z  O 

=.= 

CM 

V- 

(- 

O.  h-  QC 

►- 

o 

Z 

=» 

»- 

2 

Z  -J  X 

- 

z 

o. 

’j: 

Ui 

o 

1 

o. 

z 

C£ 

z 

>- 

o 

lU 

«t 

o 

o 

oo 

h- 

a. 

o 

OJ 

o 

z 

oo 

1-^ 

1— 

z 

•J 

0^ 

_l 

o 

»-H 

z 

o 

o 

< 

o 

, 

LlI 

o 

00 

z 

z 

ffi 

o 

o 

1— 

< 

u. 

ii. 

q: 

UJ 

O 

o 

o 

< 

oo 

X 

g 

o. 

QC 

< 

*!•= 

o 

CO 

o 

% 

UJ 

DC 

■ 

395 


2646 


shown  in  Figure  A-51.It  is  designated  the  SOS  US  16/24  since  it  can  be  config¬ 
ured  as  a  3-chip  16-bit  machine,  or  as  a  4-chip  24-bit  machine.  The  custom 
chip  set,  when  configured  as  a  16-bit  parallel  machine,  comprises  one  "Control/ 
Timing"  chip  and  two  "8-bit  slice"  chips,  plus  five  standard  SSI  devices  and 
four  decoupling  capacitors.  These  12  components  dissipate  a  total  of  0.32 
watts,  and  will  execute  the  fuel  control  instruction  mix  at  666  KOPS  when  con¬ 
figured  with  MOS  RAM  and  ROM.  This  machine  easily  meets  the  "450  KOPS"  minimum, 
and  could  therefore  be  slowed  30?^;  however,  by  the  time  that  a  RAEEC  system 
flys,  this  extra  capacity  may  be  required  for  future  tasks.  Please  refer  to 
the  summary  shown  in  Table  A-3. 

A, 3. 15.2  Random  Access  Memory  Trades  The  three  configurations  of  RAM  stuaied 
were  the  baseline  RAH,  all  N-cnannel  RAM,  and  all  CMOS  RAM,  A  1024  word  RAM 
block  diagram  is  shown  in  Figure  A-52.  The  number  of  components  required  is 
less  than  ten,  since  four  1C24  x  4  RAM  devices  comprise  the  memory  and  the 
other  six  devices  comprise  the  read/write  control  logic  buffering,  and  de¬ 
coupling  capacitors.  Please  refer  to  the  trade  summary  shown  in  Table  A-9. 


Error  correction  techniques  were  also  studied  in  order  to  attempt  the  realiza¬ 
tion  of  a  more  reliable  RAM  system.  However,  in  order  to  take  advantage  of 
Hamming  code  error  correction  techniques,  four  1024  X  1  RAMs  should  be  used  in 
place  of  each  1024  X  4  RAM  because  of  the  possibility  of  an  undetectable  4-bit 
failure.  Because  of  the  21  bit  word  length  required  for  single  error  correc¬ 
tion  and  dual  error  detection,  twenty-one  1024  X  ’  RAMs  plus  error  correction 
logic  would  be  required  to  replace  the  four  1024  X  4  RAMs.  Since  this  error 
correction  scheme  resulted  in  a  large  increase  in  power  dissipation  and  board 
area,  and  a  large  decrease  in  reliability,  it  is  not  presented  in  Table  19. 

A. 3, 15, 3  Read  Only  Memory  Trades  In  addition  to  the  Baseline  ROM,  four 
different  RUM  architectures  were  studied:  All  16K  words  Jltra-Violet  (U-V) 
erasable;  all  N-channel  ROM;  all  CMOS  SOS  ROM;  and  half  U-V  half  N-Channel 
ROM  as  indicated  in  Figure  A-53.  The  obvious  advantage  to  using  U-V  eras¬ 
able  ROMs  is  that  they  can  easily  be  erased  and  reprogrammed  during  the 
development  phase  of  a  program,  and  can  be  replaced  with  a  pin  for  pin  com¬ 
patible  N-channel  ROM  in  the  production  phase.  The  penalty  for  using  U-V  ROM 
is  a  possible  speed  jeopardy  due  to  its  relatively  slow  400ms  access  time,  and 
its  uncertain  data  retention  when  operating  at  temperatures  above  lOO^C. 

The  baseline  PROM  (Fuse-link  Programmable  Read  Only  Memory)  enjoyed  the  advan¬ 
tage  of  fast  turnaround  during  the  development  phase,  after  a  suitable  burn-in, 
but  suffered  from  a  high  parts  count,  and  high  power  dissipation  when  compared 
to  the  all-ROM  or  half-UV  approaches. 


396 


FIGURE  A-51  THREE- CHIP  HS  16/24  MACHINE 


FIGURE  A-52  1  024  WORD  RAM 


:EC  ram  design  TnAirOFFS 


IMPROVEMENT  USING  LEADLESS  CARRIERS 


REPLACE 


As  was  discussed  in  Paragraph  A, 3. 15.2,  Hamming-Code  error  correction  tech¬ 
niques  were  studied  for  single-bit  ROM  error  correction  and  dual  error  detec¬ 
tion,  However,  since  ROMs  today  are  configured  as  a  byte  wide  (8  bits),  the 
code  would  have  to  also  detect  the  failure  of  eight  bits  stuck  either  high  or 
low  in  the  event  of  a  ROM  chip  failure.  Because  more  than  a  5-bit  correction 
code  would  be  required  to  detect  8-bit  failures,  the  error  correction  concept 
was  configured  with  an  additional  16K  X  8  memory,  requiring  a  total  ROM  of  16K 
X  2A  bits.  When  the  final  parts-list  was  studied,  it  was  realized  that  the 
extra  Hamming  Code  parity  detection,  bit  correction  logic  was  less  reliable 
than  the  original  four  ROMs,  and  for  this  reason  is  not  detailed  in  this  study. 

Please  refer  to  the  ROM  tradeoff  suimiary  shown  in  Table  A-10. 

A. 3. 15. 4  Input/Output  Addressing  Each  and  every  computer  system  requires 
a  block  of  logic  for  special  addressing  functions,  such  as  Input/Output  inter¬ 
face  enables,  special  memory  enables,  and  special  read/write  signals.  In  small 
microprocessors,  this  logic  might  comprise  a  group  of  LSI  chips  known  as  "Perif- 
eral  Interface  Adapters",  plus  a  few  SSI  buffer  chips. 

Figure  A-54  indicates  what  the  I/O  addressing  logic  would  look  like  if  implemented 
with  either  "Programmable  Logic  Arrays"  (PLA),  or  "Programmable  Array  Logic" 

(PAL)  devices.  The  advantage  to  using  these  devices  is  that  they  replace  sev¬ 
eral  discrete  SSI  decoders  and  gates  and  can  easily  be  programmed  for  each  I/O 
application.  The  only  disadvantage  to  using  these  devices  is  their  relatively 
low  reliability  score  since  they  do  not  enjoy  the  high  volume  production  that 
bipolar  PROMs  do. 

Another  design  approach  to  the  I/O  addressing  problem  is  to  design  a  semi-cus¬ 
tom  gate-array  LSI  chip  to  perform  all  the  decoding  and  special  timing  logic. 
Obviously  if  this  LSI  chip  were  designed  in  a  CMOS  gate  array,  it  would  then 
require  only  a  single  decoupling  capacitor,  for  a  total  parts  count  of  two, 
ana  a  power  dissipation  of  only  lOOmw,  as  opposed  to  the  18-component  310mw 
baseline  configuration.  The  corresponding  disadvantage  to  this  custom  approach 
is  the  relatively  high-cost  of  a  one-per-system  LSI  device.  Please  refer  to 
the  I/O  addressing  trade  summiary  shown  in  Table  A-11. 

A. 3. 15. 5  Dual -Port  RAM  The  "Dual-Port  RAM"  logic  is  possibly  the  most  crit¬ 
ical  link  to  the  success  of  the  RAEEC  program.  This  system  must  transfer  in¬ 
formation  transparently  between  the  tv;o  processor  channels,  and  is  therefore, 
referred  to  as  a  dual-port  RAM  system,  since  each  processor  has  dual-port  like 
access  to  the  other's  critical  data.  The  actual  "D-P  RAM"  interface  design 
involves  three  individual  trades;  (a)  method  of  data  transmission  between  pro¬ 
cessors,  (b)  type  of  dual-port  logic  to  be  utilized,  (c)  survivability  of  the 
data  link  in  the  event  of  a  processor  failure. 


401 


TABLE  A-IO  RAEEC  ROM  DESIGN  TRADEOFFS 


O 

in 

I 

UJ 


a. 

o 


o 

UJ 

ec 


o 

w  • 

oc 

UJ 

M  z 
ac  o 

QC 

<  H- 

U)  o 

w*)  Oi 

h* 

Ui  (/> 

mJ  Z 
O  M 

<  _ 


<  o; 

UJ 

^  >' 

<  oc 

o 

CM  £ 

^  o 
oc  o 
o  > 

lx. 

d.  U7 
M  a 
O  UJ  z 

oc  >- 

^  ^  M 

^  &=- 

O  Ui  c 

^  oc  U) 


Ui  m  cj 
>»  X 

g  5'- 

u  2  in 

o 

O  Ui  z 
Z  ►-  u> 

o  5  o 

=* 

<  »— 

UJ  M  </) 

tt  <  o 

3;  in 


*  ¥ 


2 


'•i 


o 

Psl 

<0 

CM 

\ 

Ul 


1 

fO 

1 

1 

\n 

N 

1 

< 

1 

00 

<M 

o 

< 

in 

IF— 

PO 

CM 

o 

^  »— 

q: 

o: 

X 

I 

Z 

X 

cc 

ct 

H 

(E 

K 

a 

X 

CE  IT 

o 

o 

O 

Q 

o 

o 

9 

D 

O 

Q 

o 

o  o 

< 

< 

< 

o 

< 

< 

< 

T 

< 

< 

< 

< 

<  < 

in 

« 

U 

O 

h- 


O 

+ 

< 

h 

O 

+ 

< 

H- 

1/1 

m 


403 


FIGURE  A— 54  5  /O  ADDRESSING  (SIMPLEX  MACHINE)  PLA  APPROACH 


TABLE  A-11  RAEEC  I/O  ADDRESSING 


2651 


D-P  RAM  Data  Transmission 

One  technique  of  data  transmission  between  the  two  RAEEC  channels  is  the  "full 
parallel  word  transfer".  This  would  involve  16  data  lines,  6  data  address 
lines  and  a  pair  of  control  lines.  Since  none  of  these  lines  can  be  shared 
between  the  two  systems  because  of  possible  common  failure  modes,  48  data  and 
control  lines  would  be  required  if  this  transmission  concept  were  used. 

Another  technique  which  could  be  used  is  the  byte  transfer,  where  three  suc¬ 
cessive  bytes  would  transfer  16  bits  of  data  and  6  bits  of  data  address.  If 
this  scheme  were  selected,  only  20  lines  would  be  required  between  the  two 
channels,  10  in  each  direction. 

The  transmission  scheme  selected  in  this  sub-study  is  serial  transmission  of 
word  data.  This  system  requires  the  fewest  number  of  lines  in  each  direction; 
one  if  single  ended  or  two  if  the  transmission  is  dual  differential  to  avoid 
potential  ambiguity.  Since  "DART"  devices  are  relatively  inexpensive,  MIL- 
qualificd  and  multiple  sourced,  and  can  simultaneously  transmit  and  receive 
serial  data,  a  UART  was  chosen  for  this  purpose. 

D-P  RAM  Logic 

Once  the  transmission  medium  was  selected,  the  actual  dual-port  RAM  logic  was 
developed  and  studied.  The  five  different  approaches  studied  are  described 
briefly  below: 

a.  Real  Time  DMA  (Cycle  Steal) 

This  approach  provides  the  fastest  data  access  with  the  least  data 
transport  delay.  However,  it  requires  a  very  fast  memory  (t  access 
<  100  ns)  so  that  one  machine  isn't  slowed  by  the  one  performing  the 
DMA,  and  it  requires  full  parallel  access  (all  16  bits  of  data)  to 
prevent  data  change  during  a  DMA  cycle. 

This  concept  has  the  advantage  of  being  transparent  to  both  CPU's. 

b.  DMA  Block  Transfer 


This  concept  actually  involves  the  halting  of  a  machine  for  the  time 
it  takes  to  effect  a  complete  transfer  of  data.  Although  fast,  it 
runs  the  risk  of  an  additional  failure  mode,  whereby  the  transfer 
logic  could  paralyze  a  processor  by  holding  it  in  a  DMA  mode. 


405 


c.  Asynchronous  Data  Transfer.  With  Handshake 

This  concept  requires  a  mail-box  latch  or  "FIFO"  (First-In,  First-Out) 
approach,  where  either  a  flag  is  monitored  or  a  data  ready  interrupt 
is  generated.  In  either  case,  extra  overhead  for  both  CPU's  is  re¬ 
quired  to  maintain  the  data  transfer,  (Refer  to  AM  2950  8  bit  paral¬ 
lel  I/O  port). 

d.  Virtual  Dual-Port  RAM 

This. concept  requires  that  several  off  the  shelf  dual-port  RAMs  be 
tied  together  to  make  a  large  enough  cache;  however,  this  system  pro¬ 
vides  a  real-time  data  transfer,  without  any  possible  interference 
between  the  two  machines. 

e.  Simulated  Oual-Port  RAM 

This  concept  provides  the  advantage  of  transparency  between  machines, 
but  adds  an  additional  data  transport  delay  which  is  a  function  of 
the  data  transmission  concept  utilized.  Data  is  accessed  on  a  cycle- 
steal  DMA  basis  and  then  sent  serially  to  a  second  cycle-steal  DMA 
interface,  where  the  data  is  transparently  placed  into  the  second 
machines  RAM. 

This  was  the  concept  used  in  the  baseline,  which  was  improved  in  alternate 
design  #1  shown  in  Figure  A-E5,  Alternate  design  #2  assumes  the  design  of  a 
custom  CMOS  dual-port  RAM,  which  reduced  the  parts  count  from  37  1/3  to  2b, 
as  indicated  in  the  trade  summary  shown  in  Table  A-12. 

Alternate  Backup  Modes  for  a  Failed  Processor  in  a  Dual  Channel  System 

An  obvious  multiple  failure  situation  that  could  occur  and  would  result  in  a 
completely  inoperable  system,  if  link  operation  were  dependent  on  the  CPU,  is 
when  a  central  processing  unit  (CPU)  in  one  channel  fails  and  any  other  func¬ 
tional  block  in  the  other  channel  fails. 


The  real  choices  can  be  reduced  to  a  few  obvious  alternatives.  These  alterna¬ 
tives  all  consist  of  ways  of  providing  a  backup  capability  for  the  CPU  to 
either  provide  full  capability,  partial  capability,  or  conditional  capability. 

By  this  it  is  meant  that  full  capability  implies  that  the  backup  system  has 
the  same  level  of  performance  as  the  prime.  Partial  capability  implies  that 
the  backup  system  has  a  lesser  level  of  performance  than  the  prime.  Conditional 
capability  means  that  backup  capability  may  or  may  not  exist  depending  upon 
the  mode  of  failure  of  the  prime  and,  for  this  discussion,  that  if  backup  cap¬ 
ability  can  be  provided  it's  performance  level  will  be  less  than  that  of  the 
prime. 


407 


FIGURE  A-55  DUAL  PORT  RAM  "IMMEDIATE  TRANSFER  ' ALTERNATE  1 


TABLE  A-12  raeEC  DUAL-PORT  DESIGN  TRADEOFFS 


408 


. . .  ■  . . .  “■  'ir-lliiUi! . . . .  :Hiaj.jiii  iiiliiilrHi,l;.l|)-U.  In 


The  tabulated  choices  include  the  following: 

a.  Full  Capability  Backup  Using  an  Additional.  Identical  CPU 

The  advantages  of  this  approach  are  that  the  task  for  the  CPU  remains 
the  same  and  therefore,  does  not  entail  reconfiguration,  redefinition, 
or  alternate  modes  of  operation  which  would  involve  extra  firmware; 
it  also  allows  operation  with  no  degradation  of  performance.  The 
backup  system  is  also  allowed  to  remain  idle,  with  no  power  applied. 
Consequently,  the  backup  is  a  "cold  spare",  which  is  more  reliable 
having  accumulated  no  operating  time. 

The  disadvantages  are  that  the  approach  is  expensive  in  hardware,  and 
consumes  considerable  space  (Figure  A-56). 

This  microcomputer,  the  "link-alive  processor",  is  shown  with  the  dual-port 
logic  in  Figure  A-55. 

b .  Conditional  Capability  Backup  Using  The  "Failed"  CPU  at  Reduced  Per¬ 
formance  Capability 

The  advantages  of  this  appt'oach  are  that  the  cost,  power  and  space 
requirements  are  less  than  those  of  the  first  alternative.  Switching 
is  not  involved  except  for  PROM  devices,  and  isolation  of  failed  hard¬ 
ware  is  a  software  rather  than  a  hardware  functioh.  This  approach 
also  encompasses  memory  failures  (PROM)  since  a  separate,  reduced 
performance  memory  replaces  the  main  memory  after  a  failure. 

The  disadvantages  are  that  many  failures  will  make  the  CPU  completely 
■inoperable  rather  than  providing  graceful  degradation  to  a  reduced 
performance  mode.  Software  error  detection  schemes  must  be  more 
sophisticated  and  therefore,  consume  more  memory  space. 

By  making  certain  assumptions,  the  last  alternative  yeilds  the  greatest  in¬ 
crease  in  reliability  for  an  incremental  increase  in  redundancy  and  cost. 

One  of  these  assumptions  is  that  the  CPU's  performance  could  be  reduced  to 
having  the  capability  to  do  basic  information  transfers.  Transfers  such  as 
inputting,  outputting,  register  to  memory  and  memory  to  register  operations 
as  well  as  a  single  conditional  skip  and  a  single  jump  operation.  This  rudi¬ 
mentary  capability  was  assumed  to  be  adequate  for  a  minimum  performance  backup 
CPU.  Another  assumption  is  that  error  detection  be  limited  to  nonquantifying 
decisions  so  that  any  failure  resulted  in  assuming  performance  capability 
degradation  to  the  basic  operations  discussed.  This  last  assumption  yields  a 
large  pay  back  in  the  reduction  of  the  sophistication  of  software,  the  amount 
of  diagnostic  software,  the  number  of  backup  modes  of  operation,  and  the  time 
necessary  to  achieve  error  detection. 


409 


FIGURE  A  56  FULL  CAPABILITY  BACKUP  USING  AN  ADDITIONAL,  IDENTICAL  CPU 


An  investigation  at  the  circuit  level  revealed  that  approximately  60%  per¬ 
cent  of  the  transistors  on  the  chip  could  be.  stuck  in  either  the  high  or  low 
state  (these  were  considered  one  at  a  time,  not  all  at  once)  and  an  operable 
system  could  be  maintained  if  limited  to  the  discussed  operations. 

This  approach  requires  that  the  failed  CPU  perform  extensive  diagnostics  on 
itself,  to  determine  which  instruction  has  failed,  and  to  branch  to  a  backup 
I/O  routine  which  does  not  contain  the  failed  instruction.  In  this  mode,  the 
failed  operable  CPU  provides  I/O  capability,  via  dual  port  RAM,  to  the  healthy 
CPU,  thereby  allowing  additional/multiple  I/O  failures  with  no  degradation  in 
performance  (Figure  A-57). 

c.  Partial  Capability  Backup  Using  a  Single-Chip  CPU  . 

The  advantages  of  this  approach  are  that  the  system  cost  is  less, 
power  is  less,  and  space  requirements  are  less  than  the  first,  or 
second  approach,  while  many  of  the  good  characteristics  of  both  are 
retainer.  It  should  be  understood  that  in  this  discussion  the  single¬ 
chip  CPU  includes  its  own  RAM  and  ROM  on  the  chip.  And  since  the 
single-chip  CPU  is  actually  a  stand-alone  microcomputer  it  is  only 
dependent  on  the  main  CPU's  Built-in  test  output  for  its  operational 
mode;  i.e.,  if  the  main  CPU  fails  its  instruction  test,  RAM  diagnos¬ 
tic,  or  ROM  sum  check,  or  continuously  watchdog  times-out,  then  this 
backup  CPU  will  take  over  control  of  the  operation  of  the  dual-port 
link. 


This  latter'  approach  was  the  one  chosen  to  maintain  the  data-link 
survivability,  and  in  fact  is  referred  to  as  the  "Vink-alive"  pro¬ 
cessor.  Its  two  mein  functions  are: 

(1)  To  service  the  dual-port  UART;  to  check  word  formatting,  parity, 
etc.,  and  to  self-test  the  link. 

(2)  In  addition  to  the  above,  if  the  Built-in  test  logic  indicates 
a  faiVjre  of  the  main  CPU,  this  machine  will  communicate  to 
all  I/O,  and  format  this  information  for  the  dual-port  link. 


411 


A, 3, 15. 6  Test  UART  The  Test  UART  is  actually  only  used  for  ground  test 
troubleshooting,  and  therefore,  could  fail  and  never  cause  any  degradation  in 
any  fliglit  mode.  Since  the  baseline  test  UART  already  used  a  minimum  of  com¬ 
ponents,  the  only  possible  improvements  would  be  to  use  leadless  chip  carriers 
and  to  use  the  28  pin  USART  instead  of  the  40  pin  UART  in  order  to  cut  back  on 
solder  connections.  Refer  to  Figure  A-58  and  the  trade  study  summary  shown  in 
Table  A~13. 


A. 4  Matrix  Trade  Summary;  Alternatives 

The  tables  provided  in  this  section  present  a  concise  summary  of  the  important 
parameters  associated  with  each  of  the  fourteen  ci'^cuit  partitions.  Table  A-14 
presents  the  power  dissipation,  leadless  chip  carrier  (LCC)  printed  circuit 
board  area,  and  reliability  weighting  factor  associated  with  the  different  cir¬ 
cuits  studied  for  the  RAlEC  primary  channel.  Table  A-15  provides  basically  the 
same  information  as  Table  A-14  except  that  the  RAEEC  secondary  channel  pre¬ 
sented  has  one  less  "A/D",  one  more  "R/D",  one  less  "low  level  interface", 
and  15  torque  motor  drivers  instead  of  the  primary's  16. 

With  the  information  provided  in  the  above  tables,  a  power/area/rel i abi 1 ity 
sensitivity  study  was  summarized  in  Table  A-16.  The  objective  of  this  summary 
was  to  indicate  the  total  effect  on  an  electronic  fuel  control  if  all  elec¬ 
tronics  were  selected  for  (1)  minimum  power  dissipation,  or  (2)  minimum  printed 
circuit  board  area,  or  for  (3)  maximum  reliability.  Althrough  the  numbers  in 
the  Reliability  cclurnns  are  really  representative  of  each  circuit's  "Reliabil¬ 
ity  Figure  of  Merit"  (as  explained  in  the  Reliability  section  of  the  Develop¬ 
ment  Guide),  it  was  realized  that  although  they  were  dimensionless,  they  could 
be  summed  to  find  the  relative  reliability  ratios  of  each  RAEEC  concept  with 
respect  to  the  "RAEEC  Baseline". 

Table  A-16  indicates  that  if  an  RAEEC  control  were  designed  for  maximum  reliabil¬ 
ity,  it  would  enjoy  an  improvement  in  reliability  of  19%  over  baseline  system. 
However,  the  most  reliable  design  would  also  dissipate  10.4%  more  power  than  a 
minimum  area  type  design.  It  should  be  pointed  out  to  the  reader  that  although 
the  "Min  Power"  and  "Mir.  Area"  designs  resulted  in  a  lov.er  overall  reliability 
ratio,  it  is  conceivable  that  additional  iterative  trades  on  each  circuit  in 
the  "Max  Rel"  column  could  result  in  less  power  and  less  area,  which  would  in 
turn  reduce  junction  temperature,  increasing  the  overall  reliability  improvement 
ratio  well  above  the  present  19%  mark.  Because  of  the  system  complexity  of 
RAEEC,  and  its  complex  heat  flow  calculations,  each  design  improvement  iteration 
is  quite  costly  since  it  involves  all  design  disciplines,  and  further  design 
iterations  were  outside  the  scope  of  this  program. 


413 


TEST 

CONNECTOR 


E-261  3 


FIGURE  A-58  TEST  UART 


TABLE  A-13  RAEEC  TEST  UART 


C  SUMMARY 


TABLE  A-15  SECONDARY  RAEEC  SUMMARY 


417 


■2654 


TABLE  A-16  RAEEC  PICKS  CHOICES 


It  must  be  pointed  out  that  the  "final  choice"  is  actually  identical  to  the 
"Max  Rel"  configuration,  except  for  the  choice  of  the  A/D  converter.  Although 
it  is  obvious  that  a  successive  approximation  converter  with  a  rel-merit  num¬ 
ber  of  306  is  more  reliable  than  the  "Smart  A/D"  with  a  number  of  265,  the 
additional  factors  which  influenced  the  choice  of  the  "Smart  A/D"  are: 

a.  Unloading  of  CPU  resulting  in  increased  throughput 

b.  Reduction  of  CPU  memory,  since  digital  filtering  not  required 

c.  Reduction  of  filtering  in  the  "low  level"  dc  interface 

In  actuality,  the  "Max  Rel"  design  should  have  been  penalized  by  the  above 
factors,  which  might  have  lowered  its  improvement  ratio  below  that  of  the 
final  choice.  Unfortunately  it  was  beyond  the  scope  of  this  program  to  reiter¬ 
ate  the  other  circuit  designs  due  to  the  actual  total  impact  caused  by  the 
utilization  of  a  successive  approximation  converter. 

Table  A-17  indicates  the  total  influence  on  reliability  if  the  2901  bit  slice 
processor  were  used,  since  it  was  the  second  most  reliable  processor  in  the 
processor  trade  studies.  The  reader  should  note  that  although  all  the  other 
circuits  were  held  constant,  the  power  supply  had  to  be  redesigned  to  carry 
the  additional  11  watts  of  power  required.  This  design  concept  resulted  in 
a  48,7?i  increase  in  power  dissipation,  a  9.7%  higher  board  area,  and  a  1% 
worsening  in  reliability  as  compared  to  the  "Final  Choice",  However,  if  the 
2900  approach  were  chosen,  it  would  have  been  realized  after  a  detailed  ther¬ 
moanalysis  that  the  Junction  temperatures  of  all  circuits  would  have  risen 
substantially,  causing  a  worse  merit  ratio  below  the  17%  mark. 

In  summary,  the  "Final  Choice"  represents  an  18%  increase  in  reliability  over 
the  baseline  RAEEC,  and  although  the  summary  is  shown  for  the  "primary",  the 
tabulation  of  the  "secondary"  provides  the  identical  results, 

A. 5  Final  RAEEC  Design  Choice 


A. 5.1  Introduction 

This  portion  of  the  report  provides  a  description  of  each  of  the  fourteen 
circuit  partitions  chosen  in  the  design  choice  as  a  result  of  the  reliability 
trade  study.  Also  included  in  this  section  is  the  rationale  used  in  making 
these  selections.  As  a  quick  cross-reference  aid  to  the  reader,  the  third 
digit  of  each  circuit's  paragraph  number  in  this  section  corresponds  directly 
tn  its  baseline  description  in  Section  A.2.k  and  its  corresponding  circuit  trade 
study  in  Section  A.3.X. 


419 


TABLE  A-17  RAEEC  SENSITIVITY  SUMMARY  II 


... .  ri  f .Li^  "1'  iMiiaiLi.A jUii.i'di  .'niiTi',L ..  Ji AilllllMiiifc 


The  result  of  the  A/D  design  trade  was  the  selection  of  the  "Smart,  Multiple- 
ramp,  A/D  Converter".  As  converters  go,  the  successive  approximation  A/D  is 
a  monolithic  chip  which  dissipates  less  power,  uses  less  board  area  and  per¬ 
forms  conversions  faster  than  the  multiple  ramp  type  (See Table  A-2).  However, 
the  above  factors  do  not  reflect  the  actual  savings  provided  by  the  "Smart 
multiple  ramp  converter",  which  are: 

a.  Reduction  in  CPU  memory;  no  digital  filtering  required. 

b.  Reduction  of  CPU  tasks  and  memory;  analog  multiplexing  task  moved 
to  A/0 

c.  Reduction  of  filtering  on  low  level  DC  interface 

The  resulting  "bottom  line"  when  the  total  system  is  reviewed  is  that  the 
"Smart  A/D"  provides  some  degree  of  distributed  processing  which  reduced  over¬ 
all  hardware  when  compared  to  a  "S.A.C.  A/D"  based  system. 

A. 5.3  Resolver  to  Digital  Converter 

The  "R-C  Bridge/Pulse  Width  to  Diqital"  R/D  as  described  in  Paragraph  A. 3. 3.1 
was  chosen  in  the  final  design  choice  due  to  its  superior  reliability.  The 
reader  should  be  reminded  that  the  primary  RAEEC  channel  contains  one  R/D, 
while  the  secondary  contains  two. 

^•5.4  Resolver  Excitation 

The  "Alternate  #1"  resolver  excitation  circuit  decribed  in  Paragraph  A. 3.4 
was  chosen  in  the  final  design  choice  due  to  its  superior  reliability.  This 
improved  circuit  uses  a  monolithic  power  driver  {HA2635)  instead  of  the  hybrid 
(MC1538),  which  resulted  in  the  reliability  improvement. 

A. 5, 5  Torque  Motor  D/A's  and  Drivers 


The  circuit  choice  could  have  been  successfully  made  on  merits  of  number  of 
interconnects,  or  number  of  components  or  power  dissipation  reduction,  but  the 
microprocessor  based  pulse  width  modulated  (P.W.M.)  torque  motor  driver  con¬ 
cept  was  a  clear  "winner"  in  the  trade  studies.  Based  on  the  summary  presented 
in  Table  A-4,  the  P.W.M.  concept  dissipated  half  the  power  of  the  baseline 
circuit,  used  half  the  components,  and  used  half  the  number  of  interconnects. 

In  addition,  the  microprocessor  became  part  of  a  distributed  processing  sys¬ 
tem,  which  reduced  the  load  on  the  CPU,  and  allowed  self-error  checking  at 
the  interface  level. 


A. 5.6  Solenoid  Drivers 

The  solenoid  driver  circuits  chosen  were  those  described  in  Paragraph  A. 3. 6 
for  the  constant  voltage  alternator.  It  should  be  pointed  out  that  although 
the  circuit  power  dissipation  is  approximately  1  watt  per  an  energized  sole¬ 
noid,  on  an  average,  only  three  solenoids  (and  three  drivers)  will  be  ener¬ 
gized. 

A. 5. 7  Pressure  Sensors  and  Circuitry 

The  selected  pressure  sensor  concept  utilizes  two  I^L  devices  per  sensor  channel, 
greatly  reducing  board  area  and  number  of  interconnects.  The  custom  concept  also 
includes  the  frequency  to  digital  converter.  The  circuit  (primary  and  secondary 
channels)  for  one  sensor  is  shown  in  Slock  Diagram  form  in  Figure  A-59.  Also  in¬ 
cluded  is  the  resistor  network  necessary  for  mating  the  redundant  electronics  to 
common  drive  and  pickup  coils  on  the  sensor. 

A. 5. 8  Low  Level  DC  Interface 

The  low  level  DC  interface  chosen  in  the  final  RAEEC  design  choice  is  the  al¬ 
ternate  design  described  in  Section  A, 3.8.  Two  of  these  interfaces  are 
designed  into  the  prime,  and  one  into  the  secondary. 

A. 5. 9  Resolver  Multiplexer 

The  resolver  multiplexer  chosen  in  the  final  RAEEC  design  choice  is  the  alter¬ 
nate  design  described  in  Paragraph  A. 3.9. 

A. 5. 10  Discrete  Signals  Conditioner  Circuits 

The  discrete  signal  conditioner  circuit's  approach  chosen  is  described  in 
Paragraph  A. 3.10.  This  approach  not  only  saved  hardware,  but  simplified 
some  of  the  CPU's  tasks  through  distributive  processing  fault  detection  con¬ 
cepts. 

A. 5. 11  Frequency  to  Digital  Speed  Interfaces 

The  frequency  to  digital  speed  interface  chosen  in  the  final  RAEEC  design 
choice  is  described  in  Paragraph  A. 3. 11.  This  system  eliminates  the  need  for 
custom  LSI  devices,  and  allows  better  conversion  accuracy  over  the  full  speed 
range  since  the  period  counter  is  CPU  programmable. 

A, 5. 12  Turbo  Pump  Speed  Interface 

The  turbo  pump  speed  interface  described  in  Paragraph  A. 3. 12  was  chosen 
since  it  eliminates  the  need  for  custom  LSI  devices  and  allows  better  conver¬ 
sion  accuracy  over  the  OJll  pump  speed  range,  since  the  8253  is  CPU  program¬ 
mable. 


422 


FIGURE  A  -59  SENSOR  CIRCUIT  BLOCK  DIAGRAM 


423 


A. 5. 13  Fault  Detection  Logic 

The  fault  detection  logic  circuit  choice  is  described  in  Paragraph  A. 3. 13. 

A. 5. 14  Power  Supply  System 

The  power  supply  system  chosen  for  the  final  RAEEC  design  is  the  constant 
voltage  power  system  described  in  Paragraph  A, 3. 14.  Although  the  constant 
current  alternator  power  system  required  fewer  parts,  the  reduced  power  dis¬ 
sipation  realized  in  the  constant  voltage  system,  reduced  junction  temperatures 
significantly,  resulting  in  a  system  with  highest  reliability. 


A. 5.15  CPU  Design  Pick 

During  the  design  phase  of  all  the  circuits  involved  in  the  trade  study,  it 
was  realized  that  in  several  areas,  it  was  more  profitable  both  from  a  relia¬ 
bility  improvement  and  a  parts  count  reduction  stand  point,  to  use  a  single¬ 
chip  microcomputer  (like  the  8048,  for  example)  instead  of  all  the  discrete 
logic  it  replaced.  When  the  studies  were  completed,  the  final  RAEEC  design 
choice  actually  comprised  six  processors;  the  main  CPU  and  five  I/O 
processors,  as  shown  in  Figure  A-60.  This  system  became  a  distributive 
processing  array,  which  simplified  the  task  load  on  the  main  CPU.  Since 
this  system  is  actually  a  loosely-coupled  parallel  processing  array,  the 
resulting  throughput  will  be  far  in  excess  of  what  the  simplex  baseline 
design  presented.  As  an  example,  the  baseline  CPU  was  responsible  for  all 
Built-In  Test  logic  required  to  check  itself  and  all  interfaces;  however,  the 
final  RAEEC  I/O  processors  will  now  be  responsible  for  performing  their  own 
Built-In  Test,  relieving  the  main  CPU  for  other  tasks.  Another  example:  in 
case  of  the  untimely  demise  of  the  main  CPU,  the  Dual-Port  Link  Alive  Proces¬ 
sor  will  communicate  with  all  surviving  I/O  processors,  and  then  communicate 
the  I/O  data  through  the  dual-port  link  to  the  other  RAEEC  channel. 


The  computer  architecture  "Botton-Line"  is  shown  in  Table  A-18.  This  summary 
presents  the  results  of  several  complete  CPU  trades  at  a  glance,  including 
the  final  RAEEC  design  recommendation.  The  reader  should  note  that  the  Design 
Recommendation  Computer  is  only  2.4%  better  in  reliability  points  than  the 
Basic  2901  computer,  but  the  final  RAEEC  design  recommendation  computer  also 
requires  24%  less  board  area,  and  requires  391%  less  power.  These  other  fac¬ 
tors  may  have  a  larger  effect  than  2.4%  on  the  final  design  than  normally 
expected,  since  junction  temperature  (and  reliability)  will  be  a  function  of 
board  area  (final  box  size)  and  the  power  dissipation  of  surrounding  components. 


424 


FIGURE  A-60  RAEEC  DISTRIBUTIVE  PROCESSING 


425 


TABLE  A-18  COMPUTER  ARCHITECTURE  "BOTTOM-LINE 


A. 5. 15,1  Processor  Choice  The  processor  was  chosen  only  by  the  reliability 
score,  (the  exact  same  scoring  system  used  on  all  other  circuits),  but  could 
have  been  chosen  on  other  merits  as  well.  This  chosen  machine,  was  the  12 
component  3-chip  SOS  HS  16/24  which  dissipates  only  320  milliwatts.  The  pro¬ 
cessor  with  the  second  highest  score  was  the  Basic  2901  machine.  The  follow¬ 
ing  presentation  outlines  summarize  the  relative  merits  and  disadvantages  of 
each  of  the  processors  discussed  previously: 

RAEEC  HS  16/24 


a.  Advantage 

•  Best  reliability  score 

•  Lowest  power  dissipation 

•  Smallest  board  area 

•  Very  good  throughput  (  >  666  KOPS) 

b.  Disadvantage 

•  Not  an  off-the-shelf  standard  processor 
RAEEC  Fault-Tolerant  Approach 

a.  Advantage 

•  Good  CPU  reliability 

b.  Disadvantages 

•  Excessive  board  area  required 

•  Excessive  power  requirements  and  large  impact  to  power  supply 

•  Total  reliability  points  not  as  good  as  simplex  approach 


427 


RAEEC  Twin  8086  Approach 


-  a.  Advantage  " 

•  Small  board  area 
b.  Disadvantages 

•  High  power  dissipation 

•  Marginal  throughput  and  high  programming  jeopardy 

•  High  variety  of  new  components 

•  Lowest  reliability  points 
RAELC  Simplex  2900  Approach 

a.  Advantages 

•  All  components  available  in  high  volume  from  multiple  vendors 

•  Good  reliability  points 

b.  Disadvantages 

•  Relatively  high  number  of  components  and  interconnects 

•  Relatively  high  power  dissipation,  with  corresponding  impact  and 
decrease  in  reliability  of  power  supply 

•  Reliability  points  not  as  good  as  low  power  H5  16/24  approach 

A. 5. 15. 2  RAM  Choice  The  Random  Access  Memory  chosen  for  the  RAEEC  is 
the  N-channeV  RaM  presented  as  Alternate  1  in  Paragraph  A. 3. 15.2  which 
had  the  best  reliability  score. 

A. 3. 15. 3  ROM  Choice  The  Read  Only  Memory  chosen  for  the  RAEEC  is  the 
All  N-channel  ROM  presented  as  Alternate  3  in  Paragraph  A. 3. 15.3  which 
had  the  best  reliability  score  of  all  alternatives  presented. 


42S 


A. 5. 15.4  I/O  Addressing  Logic  Choice  The  I/O  Addressing  Logic  chosen  for 
the  RAEEC  is  the  baseline  circuit  as  described  in  paragraph  A. 3. 15.4. 

Although  the  other  alternatives  required  less  components  than  the  baseline 
.design,  the  baseline  provided  the  best  reliability  score  since  all  the 
components  used  were  standard,  off  the  shelf  low-power  schottky. 

A. 5. 15. 5  Dual-Port  RAM  Choice  The  Dual-Port  RAM  circuitry  chosen  for 
-RAEEC  is  Alternate'  1  as  presented  in  detail  in  Paragraph  A. 3. 15^5  wh^ch 
had  the  best  reliability  score. 

A. 6. 15.6  Test  DART  Choice  The  Test  DART  circuitry  chosen  for  PAEEC  is 
Alternate  1  as  presented  in  Paragraph  A. 3. 15.6  which  had  the  better 
rel iabi 1 ity  score. 

However,  there  are  CMOS  operational  amplifiers  on  the  market  today  (manufac 
tured  by  RCA  and  INTEL  for  example)  which  will  slew  rail  to  rail.  If  the  +  10 
volt  reference  supplies  were  made  large  enough  to  handle  the  additional  (low 
power  by  the  way)  operational  amplifier  load,  then  the  two  14  volt  regulators 
could  have  been  deleted.  Also,  if  all  op-amps  were  run  on  ;J_  10  volts  instead 
of  -I  14  volts,  the  voltage  stress  would  decrease  and  there  would  be  an  accom¬ 
panying  increase  in  reliability.  The  scope  of  the  program  did  not  permit  more 
study  in  this  area,  thus  the  14  volt  power  buses  were  used. 

A. 6  Design  Comparison  Summary 

Table  A-ld  presents  a  comparison  of  i j  astern  functions  for  the  baseline  and 
final  RAEEC  designs.  Each  channel  is  ..•j-.sidered  separately, 


429 


TABLE  A-19.  COMPARISON  OF  BASELINE  AND  FINAL  RAEEC  SYSTEMS 


Channel 

Baseline  System 

Final  System 

Primary 

Power  Supply 

Raw  power  from  alter¬ 
nator  primary  winding 

Same 

Pressure  Sensors 

PT2,  PT3,  AP13 
each  with  single 
cylinder  and  single 
electronic  input  to 
primary  channel 

PT2,  PT3,  A  P13 
each  with  single 
cylinder  and  re¬ 
dundant  electronic 
inputs;  on 
each  chant 

All  other  core 

All  inputs  are  non- 

Selective  redun- 

engine  inputs 

redundant 

dancy  provided  for 
some  inputs. 

Augmentor  inputs 

All  inputs  are  non- 
redundant 

Same 

Input  interfaces 

Non  redundant  interface 
electronics  under  direct 
CPU  control 

Selective  redun¬ 
dancy  provided  for 
low  level  signal 
conditioning  A/D 
conversion.  D.C. 
multiplexing  and 
A/D  conversion 
under  microcom¬ 
puter  control . 

CPU 

-16  bit  parallel 
processor 

-lOK  X  16  bit  PROM 
-512  X  16  bit  RAM 
-64  X  16  bit  EAROM 

Same  except  for 

12K  x  16  bit 

PROM 

430 


TABLE  A-19.  COMPARISON  OF  BASELINE  AND  FINAL  RAEEC  SYSTEMS  (Continued) 


Channel 

Primary 

(Cent) 


Function 

Interchannel 
Data  Link 


Baseline  System 

-UART  with  32  X  12  bit 
RAM  interlinking 
'’rimary  with  second¬ 
ary  CPU 

-Intelligent  Votor 
(hardwired  smart 
PROM  backup  for 
selecting  best  of 
two  channels) 


Final  System 

-UART  with  32  X  16 
bit  dual  port  RAM 
interlinking  prim¬ 
ary  and  secondary 
CPU 

-Fault  status  dis¬ 
cretes  (hard¬ 
wired  circuit 
backup  for  switch¬ 
over  to  secondary 
when  primary 
channel  is  inop¬ 
erative) 


Output 

Interfaces 


Nonredundant 
interface  electronics 
under  direct  CPU 
control 


Selective  redundancy 
provided  for  some 
output  signals. 


Torciue  motors  under 
microcomputer  pulse 
width  modulation 
control 


Core  engine 
outputs 

Each  output  connected 
to  one  winding  of  dual 
winding  effector 

Outputs  provided 
with  selective 
redundancy  con¬ 
nected  to  two 
windings  of  triple 
winding  effector 

Augmentor 

Outputs 

Each  output  connected 
to  one  winding  of 
dual  winding  effector 

j _ 

Same 

431 


TABLE  A-19.  COMPARISON  OF  BASELINE  AND  FINAL  RAEEC  SYSTEMS  (Continued) 


Channel 

Function 

Baseline  System 

Final  System 

Secondary 

Power  Supply 

Raw  power  from  alternator 
secondary  winding 

Same 

Pressure  Sensors 

PT5,  PT13,  AP3 

each  with  single  cylinder 

4  single  electronic  input 
to  secondary  channel 

PT5,  PT13,  AP3 
each  with  single 
cylinder  and  dual 
redundant  inputs; 
one  to  each  channel 

All  other  core 
engine  inputs 

All  inputs  are  non- 
redundant 

Selective  redundancy 
provided  for  some 
inputs 

Augmentor 

inputs 

None  provided 

A1 1  inputs  are  non¬ 
redundant 

Input 

Interfaces 

Non-redundant  interface 
electronics  under  direct 
CPU  control 

Selective  redundancy 
provided  for  R/D 
conversion. 

D.C.  multiplexing 
and  A/D  conversion 
under  microcomputer 
control 

C.P.U. 

-16  bit  parallel  processor 
-  8  K  X  16  bit  PROM 
-512  X  16  bit  RAM 
-64  X  16  bit  EAROM 

Same  except  for 

12K  X  16  bit  PROM 

Interchannel 

Data  Link 

UART  with  32  X  16  bit 

RAM  interlinking 
secondary  with  primary 

C.P.U. 

UART  with  32  x  16 
bit 

Dual  port  RAM 
interlinking 
secondary  with 
primary  CPU 

Output  Interfaces 

Nonredundant 
interface  electronics 
under  direct  CPU  control 

Selective  redund¬ 
ancy  provided  for 
some  output  sigtials. 

Torque  motors  under 
nii crocomputer  pulse 
width  modulation 
control 

432 


TABLE  A.19  .  COMPARISON  OF  BASELINE  AND  FINAL  RAEEC  SYSTEMS  (Continued) 


Channel 

Function 

Baseline  System 

Final  System 

Secondary 

(Cont) 

Core  Engine 

Outputs 

Each  output  connected  to 
one  winding  of  dual 
winding  effector 

Outputs  provided 
with  selective 
redundancy  connect¬ 
ed  to  two  windings 
of  triple  winding 
effector 

Auginentor 

None  provided 

Each  output  con¬ 
nected  to  one 
winding  of  dual 
winding  effector 

433/434 


MECHANICAL  DESIGN  TRADE  STUDIES 


Summarized  in  this  Appendix  are;  1)  circuit  board  reduction  studies; 

2)  technology  comparisons;  and  3)  various  trade-off  studies.  This 
information  was  used  as  a  guide  for  selecting  the  various  package  features, 
materials  and  technologies  that  make  up  the  final  RAEFC  high  reliability 
design.  This  Appendix  serves  as  a  reference  so  that  the  reader  may  have 
a  better  understanding  of  how  the  final  design  was  derived. 

Figure  B-1  is  a  review  of  circuit  board  reduction  studies,  and  shows 
the  relative  improvement  in  reducing;  1)  the  total  printed  circuit  board 
area;  2)  component  quantity;  and  3)  carrier-to-substrate  terminations, 
as  the  design  progressed  from  the  baseline  configuration  (phase  1)  to 
the  final  RAEEC  configuration  (phase  j)  using  leadless  chip  carriers. 

The  RAEEC  design  concluded  with  phase  3  for  the  following  reasons; 

1.  Although  phase  4,  which  requires  mounting  leadless  chip  carriers 
on  both  sides  of  the  substrate,  is  a  viable  approach  to  further 
reducing  the  circuit  board  area,  it  was  not  used  because  of  its 
incompatibility  with  the  HCC  module  design.  It  was  determined  that 
it  was  more  advantageous  to  provide  optimum  thermal  design  than  to 
further  reduce  the  circuit  board  area. 

2.  Although  phase  5  was  not  included  as  part  of  the  RAEEC  study,  it  is 
still  an  area  for  future  consideration  since  the  multichip  carrier 
approach  can  yield  substantial  benefits  in  reducing  circuit  board 
area,  component  count  and  carrier-to-r,ubstrate  terminations.  Because 
of  the  uncertainty, involved,  and  the  effect  it  may  have  on  test 
capability  and  package  standardization,  it  was  not  introduced  at 
this  time. 

Table  B-1  is  a  summary  of  the  technology  selected  for  the  RAEEC  Control 
and  represents  the  results  of  the  various  trade-offs  presented  in 
Figures  B-2  through  3-4  and  Tables  3-3  through  B-7.  Table  B-1  also 
compares  the  RAEEC  technological  improvements  to  that  of  old  technology, 
which  is  representative  of  the  baseline  control.  The  points  shown  for 
the  old  technology  were  chosen  arbitrarily  and  the  points  shown  for  the 
RAEEC  technology  were  determined  based  on  the  relative  improvement  in 
reliability  over  the  old  technology.  The  reliability  factor  (Rf)  was 
based  primarily  on  the  quantity  of  each  feature  contained  in  the  controller 
design.  Table  B-z  illustrates  how  Rf  was  determined. 


436 


Figures  6-2  through  B-4  and  Tables  B-3  through  B-7  represent  all  the 
trade-offs  that  were  performed  for  each  of  the  package  features.  Figure 
6-2  indicates  how  many  I/O  connectors  should  be  used  to  optimize 
reliability  and  maintainability. 

Tables  B-3  through  B-7  and  Figures  B-3  and  B-4  are  all  based  on  a  similar 
approach.  A  list  of  rating  criteria  was  generated  for  each  package 
feature.  The  various  designs  were  then  assigned  a  weighting  factor  (WF) 
and  a  rating  factor  (RF).  The  weighting  factor  is  based  on  the  relative 
importance  in  terms  of  reliability;  the  rating  factor  is  a  measure  of 
how  good  that  particular  characteristic  is.  The  product  of  the  two 
(i.e.  RF  X  WF)  is  the  overall  rating  for  that  feature.  The  totals  of 
all  of  the  individual  feature  ratings  are  then  used  to  show  the  relative 
magnitude  of  improvement  in  design  and  to  serve  as  a  guide  for  selection. 

Below  is  a  list  of  abbreviations  used  in  the  following  tables  and  figures. 


Assy 

Assembly 

BD 

Board 

Conn 

Connector 

Flex 

Flexible 

PC 

Printed  Circuit 

PTH 

Floated  Thru  Hole 

Term 

Termination 

T.I. 

Texas  Instruments 

437 


(1) 


(2) 


(3) 


PHASE 


BASELINE 

DESIGN 


IMPROVED 

FUNCTIONAL 

DESIGN 


LEAOLESS 

CHIP 

CARRIERS 


LCC'S  MOUNTED 
ON  BOTH  SIDES 
OF  SUBSTRATE 


(S) 


AREA 


COMP 
lY 


694 


410 


244 


T60 


QTY  TERMINAT 

SL  3 


CARRIER/SUBSTRATE 

TERMINATIONS 


166 


T60 


TBD 


liQlJ 


12,014 


1204  I  1797 

1  .097  - 


tion 


284  1 

1 

797 

1 - \ 

4,863 

7,151 


4263. 


1,081 


HONE 

NONE 

7,151 


_iM3 


RAEEC  DESIGN 
CONCLUDED  HERE 


TBD 

TBD 

1 

MULTICHIP 

T 

TBD 

T 

TBD 

LtAUltSS 

*  1  uu 

1 

LAKK 1 tKb 

figure  b-1  reduction  studies 


TABLE  B-1  RAEEC  PACKAGE  FEATURES 


pOAi^i; 


FIGURE  B-3  I/O  CABLE  ASSY  TRADEOFF 


WEIGHTIIIG  FACTOR:  MOST  IMPORTANT  =  10  RATING  FACTOR:  EXCELCENT 

VERY  IMPORTANT  =8  ,  VERY  GOOD 

(.s'E)  IMPORTANT  -  5  J  GOOD 

SOMEWHAT  IMPORTANT  *3  FAIR 


FIGURE  B-4  CHIP  TO  CARRIER  TERMINATION 


•  CO  O 


I  r««.  in  CO  I—  o 


o  o  o  o 
o  o  o  o 
o  o  o  o  _ 
•*•*#«•»  o 
m  o  ir>  o  o 

J  ^  ^  <vj  O 
)  I  I  I  t 
>  O 

O  O  O  CVJ 

-  o  o  o  o  * 

,0000  A 

r  » 

»—  in  o  m 


0^  CT>  C3> 

<\i  o^  o^ 

c  r-  CO  in  cr» 

.f-  a^ 

' — '  o  *  *  *  I 
o 

<c  ,—  o  o  o  o  A 
UJ  . ,  o  o  o  o 

CJC  V  I—  CSi  «•  UD 

c 


0000 

O  VD  O  VO 
r—  I—  CM  CM  O 

>  VO 

>  I  I  I  I  CM 

'  O  I—  I—  >—  A 
10  o  >0  o 

r—  I—  CM 


*4-  io  Lfl  CO  O 

OCH- 


t'^  Ln  n  I—  o 


CVJ  VO  CO  0  0 

CTi  VO  0 

, 

,  1 

>- 

1—  CVJ 

>-  < 

^  1 

1  1  1  0 

1' 

r|  * 

CrI 

CVJ 

0 

r-  CO  vn  ov 

in  0 

000c 

O  VO  O  VO 
I—  r—  CM  CM  O 
I  VO 

I  I  I  I  I  CNJ 

O  ^  r-  A 

vn  o  VO  o 

»—  I—  CVJ 


TABLE  B-3  I/O  CONNECTOR  TERMINATION  COMPARISON 


TABLE  B-4  printed  CIRCUIT  BOARD  CONNECTORS 


I 


^  O  u. 
<2  0: 

O 

o 

O 

O 

o 

o 

o 

o 

QC  — ■  X 

00 

m 

U> 

d* 

VD 

UJ  H-  U. 

<  3 

O  a:  ^ 

og 

_ _ _ 

Ll_ 

UJ  CC 

5»  CO 
•— «  Z 

I—  Qt 

00 

o 

tA 

m 

o 

ir> 

m 

<  h-  o 

— 1  <  H- 
UJ  o:  o 

a:  < 

LU 

. 

<u 

c  >, 

T3 

1 

T3 

c  <u  ^ 

iT3 

■o 

<I» 

TD  iO 

QC 

o  c  c 

o 

c. 

:a 

T3 

C  Z 

UJ  O  O 

CJ  O  CZ5 

v>  ^ 

<TJ 

OJ 

<  OJ 

O  H-  *— 

13 

X 

T3 

TJ 

<U 

TD  4-» 

UJ  U)  CM 

c  c  c 

O'  *0 

i3 

U  k.  iU 

tn 

»—  UJ  1 

l-H  — <  O 

^  V)  QJ 

k. 

> 

C  -D  k. 

c 

a.  z  o 

-•->  ^ 

<u 

o 

O 

c 

*v  O  13 

o 

CJ 

1  2  1 

a»  t/)  •♦■J 

CT>  O  < — 

c 

-J 

k. 

io 

CJ  CD  CD. 

•  r“ 

o 

CJ 

r-  O  ~l 

>  c  u 

C  d  O. 

UJ 

X 

u 

TJ 

Oj  OJ 

4-> 

lA 

o 

o 

O  ^  O' 

r-  +j  a. 

UJ  *o 

UJ 

C  •  vO 

iO 

eg 

UD 

s: 

O  u 

k.  C  <£ 

VI 

1. 

<1» 

4-> 

4-> 

•o 

C  CJ 

u 

<“ 

CD 

i.  ^ 

Ck  o 

'T 

<A 

o 

3 

u 

o  • 

o 

CD  d. 

vO  t  J  3 

LjU 

- 

ZD 

z 

CD 

_J 

+ 

1 

— j 

'  “ 

^  cO  U. 

<  r:  ct: 

o 

O 

O 

r> 

o 

o 

O 

o 

Qi  X 

o 

00 

00 

UD 

d 

If 

e-5 

UJ  1—  u. 

=»  <C  3 

O  oc 

— 

d 

Ll. 

UJ  or 

2»  CO 

—  z 

h-  ^  ct: 

o 

CO 

00 

cn 

ClJ 

.r» 

UT) 

<  h-  O 
-1  <  1— 

UJ  iZ  UJ 

Oi  <t 

LU 

— 

- 1 

“1 

C  -M 

c 

CJ 

0)  w 

lA 

4J 

q;  fO 

e  'o 

13 

3 

1 

c  4-> 

c  *-» 

4J 

k. 

U 

CD 

•  c 

ac  O 

■-  c 

C7>  C 

UJ 

iO 

CT.  O  VD 

UJ  O  CO 

•J  o 

e-  o 

X 

it? 

W 

T? 

'H-  t  J  OJ 

CJ  H- 

CJ 

»-  CJ 

re 

C 

a* 

a» 

X  > 

LlJ  O  LD 

Vi 

VI 

cr  o 

•D 

•o 

X  — 

—  uJ  1 

j  zn 

</l 

« 

u 

C  CJ 

•r- 

•n 

U  HV  -tl 

O.  Z  CJ 

O'  c 

01  i; 

4> 

o 

•»— 

> 

d. 

O  O  X 

1  Z  f 

V- 

>  K  C7 

k. 

-4-1 

*->  X? 

o 

»->  ‘n 

c> 

eg  O  — 1 

SJ  4-» 

V-  c 

u 

u 

c  a» 

k. 

OJ 

CJ  k. 

o 

CJ 

O  i-< 

in 

WE'- 

1/) 

<v 

u;  CT 

a. 

03 

QJ  VI  O 

A 

c> 

^  £ 

-r-  -O 

c 

>  u 

r.  O'  ♦-» 

CM 

ID 

u 

VI  C  13 

u 

c 

<1^  E 

4-> 

c 

C  '-J 

UJ 

(TJ  Q. 

O  •<“  o 

«T/ 

o 

w  ^ 

O 

JC 

O  15  OJ 

CU  — 1 

Cj 

tx  o 

z 

CJ 

CJ  2:  c 

+ 

1 

>• 

u-  O  u- 
Z  3 

•— «  f— 

U5  X  a 

-.0 

O 

o 

o 

i/> 

CD 

CD 

<V  cO  O 

t  f— 

r- 

._J  UJ  U) 
UJ  3  < 

a;  u_ 

cO 

c 

>“ 

rn 

c> 

UJ 

Q. 

r— *  »— 

u 

w 

C.-  — > 

H 

a 

u-  *-• 

♦J 

■r- 

4-» 

o 

o  u 

OJ 

E 

ZD  -J 

c 

•o 

c 

u 

4) 

riO  •— 

01 

cr 

O' 

CJ 

r—  4_l 

1— 

^  CO 

c 

c  C 

*-> 

OJ 

O  Q.. 

cr 

or 

c 

•'  -j 

OJ 

c 

u- 

k.  OJ 

c: 

o 

cn 

r—  *“■ 

O' 

*-j 

cr. 

c 

OJ 

W  u 

•r“ 

c 

-j 

Z  —1 

'O  ♦-» 

<> 

-r- 

C  UJ 

4-* 

«r 

O  UJ 

C  u 

— 

CJ 

o  a: 

U 

4.^ 

1— 

C.J  Ot 

d: 

Qj  n3 

it: 

0/ 

vj 

k- 

iV 

a; 

ci:  *-> 

(j 

TO 

QC 

TD 

<u 

k. 

h- 

UJ  X 

>  j-* 

'-w  c 

0. 

>h  C 

a 

UJ 

cr:  CO 

*-  CJ 

CT'  O 

c 

C- 

-•-i  d: 

o 

o. 

“D  *— « 

*_»  fO 

C  C-J 

iO 

•r- 

CJ 

X 

«-  *-i 

■  r- 

x: 

> 

n: 

»—  cr» 

VI  C 

•-»  o 

u 

•— 

k- 

rtJ  3 

CT 

2 

UJ  O 

a  Ci 

(0  ^ 

OJ 

u- 

iO 

4-/ 

3  «— 

•  i— 

o 

U-  CJ 

>.  3 

i- 

Cl 

Ci, 

CA 

erx 

X 

—I 

o 


II 


II 


O) 

JU 

u 


TD 

■>3 

C 

<D 


o  CO  CO  ^ 

n  II  II  II  II 


ti.  k. 

O  D  •«-» 
Q.  Q.  C 
E  t  ^ 

•  I— I 

k. 

>>  O 
i/i  k.  a. 
o  0^  E 
s:  ^ 


wi 

u 

o 

4-> 

u 

<o 


£ 

CT' 

Q' 

3 


VO 


CSJ 

VO 


UJ 


4^*3 


Somewhat  Important 
Least  Important 


TABLE  B-6  thick  FILM  SUBSTRATE  COMPARISON 


447 


SOLDER  JOINT  CONFIGURATION 


RELIABILITY  ADVANCEMENT 


FOR 

ELECTRONIC  ENGINE  CONTROLLERS 
Discussion  Topics 
RAOC 

December  8,  1977 

1.  Review  of  the  engine  control  problems. 

2.  Discussion  of  the  failure  modes,  problems,  advantages,  disadvantages 
of  CMOS,  SOS  CMOS,  N  Channel  MOS,  I^L,  and  low  power  Schottky  for 
high  reliability  applications  in  the  1977-1987  time  frame. 

3.  Discussion  of  the  process  steps  associated  with  each  technology  and 
the  potential  jeopardy  of  each  step. 

4.  Recommend  the  semiconductor  and  microcircuit  technology  which  shows 
the  most  promise  for  reliable  performance  in  a  hostile  environment. 
Consider  the  need  for  advanced  performance  in  multiple  function  and 
circuit  types. 

5.  Suggestions  and  recommendations  relative  to  optimum  derating  for  var¬ 
ious  component  types  and  technologies. 

6.  Discussion  of  the  impact  of  "VSLI"  on  reliability,  e.g.,  new  design 
rules,  new  testing  problems,  new  process  steps. 

7.  Discussion  of  advantages/disadvantages  of  using  hybrid  technology  in 
high  reliability  applications. 


SUBJECT; 

Reliability  Advancement  for  EEC 
Technology  Transfer  Trip  Report 
Rome  Air  Development  Center 
December  8,  1977 

A  five  hour  discussion  was  conducted  at  RADC  along  the  lines  outlined  in  the 
discussion  topics  (attached).  The  following  persons  participated: 


Joe  Brauer 

RADC 

Clyde  Lane 

RADC 

Chuck  Ryan 

AFAPL 

Phil  Lefkowitz 

HS 

Vic  Mosca 

HS 

Dick  Potetz 

HS 

Chas.  Rabinowitz 

HS 

Bill  Peck 

HS 

Or.  Ai  Shuskas 

UTRC 

450 


Following  the  introduction  of  the  engine  control  problem,  a  discussion  of  JFC 
90  experience  followed  with  an  examination  of  the  failure  history.  The  fail¬ 
ure  history  was  examined  in  order  to  determine  whether  high  temperature  over¬ 
stress  testing  (HTOT)  of  components  could  have  a  beneficial  impact  on  JFC90 
reliability.  Clyde  cane  expressed  the  concensus  opinion  by  saying  that  HTOT 
testing  will  have  little  benefit  unless  it  is  proceeded  by  a  successful  reduc¬ 
tion  in  vibration  and  temperature  environment. 

CMOS 

Highl  i  ghts 

•  The  greatest  problem  with  CMOS  is  the  variability  from  lot  to  lot  and 
the  lack  of  understanding  of  the  failure  mechanism. 

•  CMOS  from  some  vendors  cannot  presently  be  HTOT  tested. 

•  Despite  problems,  RADC  has  compiled  a  record  with  4000  series  metal 
gate  CMOS  devices  in  both  field  and  laboratory  which  shows  CMOS  and 
comparable  bi-polar  circuits  to  be  about  equal  at  0.4  failures/million 
hours  of  operation  at  50®C. 

•  RADC  believes  the  TTL  has  a  slight  edge  in  reliability  and  that  CMOS 
reliability  can  be  improved  with  more  stringent  screening. 

•  This  discussion  centered  primarily  on  digital  circuitry  constructed 
with  CMOS  technology.  These  circuits  comprise  less  than  ^2%  of  the 
parts  list  of  a  typical  electronic  control.  The  significance  of  this 
discussion  is  overshadowed  by  the  fact  that  the  reliability  of  linear 
integrated  circuits  is  markedly  lower  than  that  of  digital  circuits 
and,  coupled  with  their  greater  number,  will  likely  play  the  dominant 
role  in  establishing  the  system  reliability. 

The  discussion  then  swung  to  item  Z  and  a  Joe  Brauer/ Clyde  Lane  presentation  of 
the  CMOS  situation.  Their  presentation  is  summarized  as  follows: 

The  greatest  problem  with  CMOS  is  the  variability  of  CMOS  product  from  lot  to 
lot.  While  CMOS  is  theoretically  capable  of  being  manufactured  with  reliable 
characteristics,  as  are  TTL,  I^L,  lower  power  Schottky,  and  others,  every 
practitioner  of  the  CMOS  art  currently  introduced  his  own  variation  in  the 
manufacturing  recipe.  This  is  done  for  economic  reasons  but  results  in  dis¬ 
tinct  built-in  failure  modes.  All .manufacturers  suffer  from  this  problem  at 
the  present  time,  even  though  the  variability  seems  to  be  slowly  improving 
over  the  last  two  years. 

The  major  concern  that  the  RADC  personnel  expressed  about  CMOS  circuits  was 
that  although  good  devices  were  being  turned  out  Ly  a  given  line,  occasionally 
bad  batches  were  turned  out  which  showed  excessive  failure  rates  during  accel¬ 
erated  life  testing.  What  is  particularly  puzzling,  is  that  conventional 


451 


screening  techniques  such  as  C-V  measurements  and  bias-temperature  stressing 
cannot  distinguish  between  the  batches  which  show  an  abnormal  failure  rate  and 
long  lived  devices.  The  lack  of  understanding  of  the  failure  mechanism  intro¬ 
duced  in  the  manufacturing  process  makes  for  a  bad  feeling  from  a  reliability 
standpoint.  Any  lack  of  knowledge  or  control  indicates  a  potential  reliability 
problem. 

Long  term  failure  predictions  for  CMOS  for  applications  with  warm  to  hot  en¬ 
vironments  are  a  concern.  Figure  C-1  shows  the  acceleration  of  some  of  the 
failure  modes  with  temperature.  It  is  significant  that  the  slope  of  the 
temperature-time  line  is  a  direct  function  of  activation  energy.  Lot  variations 
from  some  manufacturers  have  been  documented  to  vary  over  a  4  to  1  range  with 
a  corresponding  variation  in  slope  of  4  to  1 . 

Although  CMOS  has  fewer  construction  process  steps  than  T^l,  there  are  more 
critical  steps  such  as  the  oxide  process  whicli  is  not  well  understood.  Problems 
identified  under  high  temperature  overstress  testing  (HTOT)  include  threshold 
shift  and  surface  leakage.  In  particular,  some  products  use  epoxy  die  attach 
which  releases  moisture  with  time  and  temperature  ultimately  leading  to  surface 
leakage  problems.  The  epoxy  utilized  for  the  die  bonding  was  not  subjected  to 
a  vacuum  bake  cycle,  and  hence,  released  water  when  the  test  devices  were 
raised  to  the  elevated  temperatures  required  for  accelerated  life  testing. 

This  resulted  in  an  excessive  failure  rate  due  to  leakage.  In  the  face  of  this 
evidence  and  repeated  suggestions  to  certain  manufacturers  by  RADC  to  vacuum 
bake  the  epoxy  prior  to  chip  bonding,  or  to  revert  to  eutectic  die  bonding, 
they  chose  to  ignore  these  suggestions  until  recently.  Several  lots  of  devices 
which  were  fabricated  employing  vacuum  baked  epoxy  were  reported  to  exhibit  a 
considerably  improved  failure  rate  when  subjected  to  accelerated  life  testing. 
One  company  has  persistently  declined  to  use  a  eutectic  die  attach  which  would 
be  the  obvious  solution  to  this  problem,  but  instead  has  elected  to  try  another 
type  epoxy  that  supposedly  would  not  release  moisture  in  the  package.  Devices 
with  the  new  type  epoxy  material  have  not  yet  been  made  available  to  RADC  for 
evaluation.  RADC  suggests  that  the  moisture  problem  may  not  affect  real  appli¬ 
cations,  however,  they  must  do  accelerated  testing  for  bAMSO  applications  and 
the  moisture  problem  prohibits  meaningful  results  on  these  devices.  Other 
devices  had  a  problem  with  lid  seal  integrity.  Lids  popped  off  at  high  temper¬ 
ature.  Although  resolution  for  these  problems  is  in  process,  RADC's  prime 
concern  is  that  there  still  remains  excessive  lot  to  lot  variation  in  relia¬ 
bility, 


Recent  liTOT  tests  completed  by  Motorola  for  Goodyear/MCAIR  on  CAPTOR  program 
indicated  excellent  results  which  were  certainly  comparable  to  T'^L.  In  the 
final  analysis,  tradeoffs  have  to  be  conducted  to  determine  the  failure  rate 
effect  of  lower  operating  temperatures  of  CMOS  vs  Ta. 

Preliminary  testing  of  radiation  hardened  devices  has  shown  good  reliability. 
This  has  been  attributed  to  the  clean  oxide  low  temperature  processing  needed 
to  meet  radiation  requirements  which  also  reduced  contamination  significantly 
thereby  reducing  threshold  shift  and  leakage. 


45? 


E-tO 


FIGURE  C-1  LIFE -TEMPERATURE  RELATIONSHIPS  MFR  NO.  1  LOT  A-4007  CMOS 


453 


The  standard  168  hour  1250C  burn-in  is  not  adequate  to  remove  infant  mortality; 
RADC  can  recommend  special  testing  for  hi-rel  application. 

With  regard  to  the  relative  merits  of  CMOS  and  T^l,  RADC  implied  that  TTL  is 
twice  as  reliable  as  CMOS.  This  comment  has  to  be  examined  in  the  context- 
that  it  was  made.  The  reliability  comparison  was  made  between  CMOS  RAM  cir¬ 
cuits  and  TTL  ROM  chips.  Clearly  the  compariscn  is  not  being  made  for  circuits 
of  the  same  level  of  complexity  and  the  CMOS  circuits  are  at  a  disadvantage  in 
this  comparison.  One  further  caution  that  must  be  made  when  comparing  tech¬ 
nologies  such  as  CMOS  and  bi-polar  is  whether  the  process  technologies  used  in 
the  fabrication  of  devices  are  of  a  comparable  level  of  sophistication;  for 
example:  diffused  guard  rings  vs  oxide  isolation,  epoxy  die  bonding  vs  metallic 
die  attachment,  diffused  junctions  vs  ion  implanted,  polysilicon  gates  vs. 
metal  gates. 

Despite  the  problems  detailed  above,  RADC  has  compiled  a  record  with  4000  series 
metal  gate  CMOS  devices  in  the  field  and  in  the  laboratory  as  follows; 

Measured  at  50°C 

LAB  0.37  fai lures/mi 1 1  ion  hours  operation 

FIELD  0.39  failures/million  hours  operation 

These  CMOS  results  compare  favorably  with  RADC  tests  on  TTL  as  follows: 

TTL  at  70°C 

LAB  0,5  failures/million  hours  operation 

CMOS  device  reliability  is  quite  respectable,  by  today's  standards  for  reliable 
semiconductor  devices,  even  though  some  of  these  parts  cannot  be  tested  with 
HTOT. 

SOS/CMOS 


SOS  has  the  same  p-^oblems  as  CMOS  plus  an  additional  one.  The  oxide  SOS  inter¬ 
face  by  process  nature  has  poor  strength  yielding  to  failure  under  thermal 
cycling.  This  defect  can  be  screened  via  thermal  cycling.  A  bad  device  will 
last  1-10  cycles,  a  good  one  300  cycles,  RADC  is  concerned  in  a  temperature 
cyclic  environment  that  300  cycles  will  be  exceeded. 

Device  isolation  in  one  process  is  achieved  by  means  of  etching  away  the  sili¬ 
con  between  devices.  In  the  subsequent  oxidation  for  device  passivation,  the 
oxide  film  formed  near  the  silicon-sapphire  interface  tends  to  grow  thinner 
than  the  remainder  of  the  film.  This  is  a  weak  point  and  tends  to  fail  by 
rupturing  when  the  devices  are  thermally  cycled.  RADC  has  found  that  devices 
which  usually  can  withstand  ten  temperature  cycles  will  not  fail  in  this  mode. 
There  are  fixes  for  this  problem  and  the  simplest  is  to  deposit  a  film  over  the 
oxide  to  shore  up  the  weak  point.  The  best  approach  is  to  avoid  the  problem 
completely,  which  has  been  accomplished  by  means  of  oxidizing  the  silicon  be¬ 
tween  devices  down  to  the  sapphire  substrate.  The  local  oxidation  results  in 
added  benefits  such  as  planar  surfaces  which  eliminate  metallization  step 
coverage  problems  encountered  in  conventional  processing. 


454 


SAMSO  on  the  I^issle  X  (MX)  program  spend  much  money  trying  to  use  CMOS  SOS  and 
finally  gave  up  and  converted  to  low  power  Schottky.  Reason  --  reliability, 
producibility  and  limited  suppliers  on  the  SOS. 

There  is  a  lot  of  military  interest  in  CMOS  SOS,  however  RADC  feels  that  if 
the  commercial  market  doesn't  expand  the  technology  would  not  go  far. 

N-Chanri el  MOS 


Although  N-Channel  would  theoretically  be  less  reliable  than  P-Channel,  exper¬ 
ience  has  shown  the  reverse  to  be  true.  RADC  stated  that  BTL  is  recommending 
N-Charinel  for  severe  environment  application  because  it  doesn't  have  contamin¬ 
ation  susceptibility,  is  comparable  to  SOS  speed  and  MOS  power,  and  is  easier 
to  produce. 

Navy  appears  to  be  going  with  I^L  and  a  general  DOD  attitude  favors  I^L.  No 
testing  has  been  done  by  RADC.  RADC  is  being  pushed  to  generate  MIL  specs  but 
has  no  basis  for  assessing  inherent  reliability.  One  manufacturer  has  made  a 
major  commitment  in  this  technology,  it  having  high  commercial  promise. 

Hybrid 

Messrs.  Brauer/La.ne  commented  on  hybrids  as  follows: 

Many  manufacturers  who  make  hybrid  circuits  for  the  open  market  are  small,  have 
inadequate  financial  resources,  and  inadequate  quality  control.  Aerospace  com¬ 
panies  making  hybrids  for  their  own  internal  use  have,  in  general,  not  been 
evaluated  by  RADC  but  may  not  suffer  from  these  problems. 

Hybrid  devices  must  be  recognized  as  complex  assemblies  with  demanding  processes 
which  must  be  defined  and  maintained  with  hard  discipline.  Most  small  suppliers 
lack  adequate  process  control  and  discipline  and  are  not  capable  of  making  re¬ 
liable  hybrids. 

The  difficult  problems  of  making  repeatable  reliable  hybrids  grow  enormously 
as  the  size  of  the  hybrid  increases.  It  appears  that  the  compounding  of  severe 
testing  and  repair  problems  on  top  of  original  manufacturing  proolems  make  the 
6"  X  7"  hybrid  device  impractical. 

At  the  end  of  the  discussion,  it  was  brought  out  that  the  concern  over  the 
relative  reliability  of  various  technologies  employed  to  fabricate  the  digital 
circuits  is  overridden  by  the  fact  that  the  reliability  of  linear  intearated 
circuits  is  markedly  lower  than  that  of  digital  circuits.  As  long  as  linear 
circuits  are  employed  in  the  electronic  engine  control,  they  will  play  the 
dominant  role  in  establishing  the  ultimate  system  reliability. 


455 


CONCLUSIONS 


This  is  only  the  first  of  several  in-depth  technology  transfer  discussions  of 
semiconductor  components  and  technologies.  Therefore,  it  appears  premature  to 
draw  final  conclusions  until  more  discussions  are  held  and  a  more  complete  pic¬ 
ture  available. 

Our  next  technology  transfer  visit  will  be  made  on  December  14,  1977  to  Bell 
Laboratories  in  Murray  Hill,  New  Jersey.  The  Bell  System,  widely  recognized 
as  a  maker  of  highly  reliable  equipment,  purchases  and  uses  millions  of  CMOS  de¬ 
vices  per  year  in  their  telephone  switching  gear.  They  have  also  been  one  of 
the  pioneers  in  the  use  of  High  Temperature  Overstress  Testing  (HTOT)  to  elim¬ 
inate  premature  failures  from  semiconductor  components.  They  appear  to  have 
solved  the  HTOT  testing  problem  for  their  purchased  CMOS  devices. 


456 


APPEnOIX  D 

VIBRATION  AND  TEMPERATURE  TRADEOFF  STUDY 


^57 


0.1  Scope 


The  purpose  of  this  study  is  to  establish  design  guidelines  so  that  assessments 
"^can  be  conducted  on  the  Vibration/Failure  Rate  and  Temperature/Failure  Rate 
relationships  inherent  in  electronic  equipments.  The  study  also  established 
a  method  to  determine  the  optimum  combination  of  temperature  and  vibration 
level  so  that  the  lowest  possible  failure  rate  is  achieved. 

0.2  Temperature/Failure  Rate  Tradeoff  Analysis 

The  phenomenon  of  the  Temperature/Failure  Rate  relationship  is  a  well  documented 
process.  There  are  also  several  ways  that  the  Temperature/Failure  Rate  rela¬ 
tionship  can  be  quantified.  In  this  study  the  relationship  between  failure  rate 
and  temperature  was  derived  using  MIL-HDBK-21 7B  as  the  basis  with  all  other 
factors  held  constant. 

The  Temperature/Failure  Rate  relationship  was  studied  using  an  electronic  fuel 
control  parts  compliment.  A  series  of  failure  rate  predictions  was  performed 
using  217B  as  the  basis  and  varying  the  temperature  through  a  range  of  discrete 
values.  The  results  are  plotted  in  Figure  D-1.  Using  straight  line  approxi¬ 
mations  it  can  be  seen  that  the  slope  of  the  failure  rate  index  increased 
significantly  for  temperatures  greater'  than  For  temperatures  above 

tliis  break-point,  the  failure  rate  is  more  sensitive  to  changes  in  temper¬ 
ature  than  for  temperatures  below  the  breakpoint.  The  breakpoint  delin¬ 
eates  critical  regions  with  respect  to  operating  temperature. 

The  curve  in  Figure  D-1  can  be  used  to  determine  the  impact  of  temperature 
upon  failure  rates  for  other  systems.  For  example  consider  a  system  with  a 
failure  rate  of  100  XIO'2  F/Hr  and  operating  at  90°C.  If  the  system  was  re¬ 
designed  such  that  the  operating  temperature  was  reduced  to  60OC,  what  would 
be  the  corresponding  failure  rate?  From  Figure  D-1  it  can  be  seen  that  at 
90°C  the  failure  rate  is  70  X  10'^  F/Hr  and  at  60°C  the  failure  rate  is  43.5 
X  10"^  F/Hr,  for  a  ratio  of  0.62  =  43.5  X  10"^/70  X  10"^.  Therefore,  the  new 
failure  rate,  at  the  reduced  temperature,  is  62  X  10-3  F/Hr  =  (0.621  (100  X 
10-3). 

This  type  of  analysis  can  be  conducted  for  most  equipment/ systems.  However,  it 
should  be  kept  in  mind  that  the  curve  in  Figure  D-1  was  developed  from  a  fuel 
control  system,  and  as  such,  the  closer,  in  terms  of  function  and  environment, 
the  system  under  analysis  is  to  a  fuel  control  the  more  accurate  the  results 
will  be. 


U.3  Vibration/Failure  Rate  Tradeoff  Analysis 

The  purpose  of  chis  section  of  the  analysis  was  to  attempt  to  quantitatively 
identify  the  relationship  between  vibratory  stress  and  the  failure  rate  with 
all  other  parameter:  constant. 

A  portion  of  the  data  for  the  analysis  was  drawn  from  a  r'eport  prepared  for  the 
Custis  Directorate  of  the  U.5.  Army  Air  Mobility  Research  and  Development  Labor¬ 
atory  by  Sikorsky  Aircraft  (Reference  65).  This  study  assessed  the  reliability 


45n 


1 - 1 - 1 - 1 - 1 - 1 - 1 - 1 

80  100  120  140 

EMPERATURE  ("C) 

E-6161 


RATE  VS.  TEMPERATURE 


9 


impact  of  vibration  levels  upon  two  groups  of  helicopters.  The  groups  were 
identical  in  construction  except  that  one  group  had  a  device  which  reduced  the 
vibration  induced  by  the  rotor.  Vibration  measurements  were  made  on  selected 
aircraft  from  both  groups  to  determine  the  vibration  environment.  The  vibra¬ 
tion  level,  at  the  mounting  location,  for  each  piece  of  equipment  was  linearly 
extrapolated  from  the  measured  data  points.  Failure  data  was  collected  through 
normal  Air  Force  channels  using  the  USAF  AFM  66-1  Maintenance  Data  Reporting 
System. 

The  second  part  of  the  data  was  drawn  from  internal  Hamilton  Standard  sources 
dealing  with  the  JFC90  Fuel  Control.  A  design  improvement  to  add  isolators  to 
the  JFC90  has  resulted  in  a  reduced  vibration  level  and  increased  reliability. 
The  data  was  collected  in  a  manner  such  that  the  before  and  after  parameters 
for  vibration  level  and  failure  rate  were  discernable.  Therefore,  the  impact 
of  vibration  levels  upon  reliability  can  be  assessed  for  the  pre-improvement 
fuel  control  versus  the  post-improvement  fuel  control. 

The  last  part  of  the  G^:ta  was  drawn  from  information  presented  in  "RADC  Relia- 
ability  Notebook  -  Volume  III"  (Reference  66). 

The  search  for  further  data  was  conducted  in  three  general  areas.  These  areas 
v.\'re;(l)  library  literature;  (2)  people  working  in  the  fields  of  stress,  and 
vibration  and  reliability’,  and  (3)  government,  and  government-supported,  organ¬ 
izations.  A  representative  sample  of  the  contacts  made  during  the  search  is: 

UTC  Research  Library,  East  Hartford 
Marshall  Library,  Huntsville 
Mr.  D.S.  Steinberg,  Litton  Industries 
Mr,  E.  Kimball,  Martin  Marietta 
GIDEP 

RAOC,  Mr,  Lester  Gubbins 

IITRI  (RAOC),  Mr.  C.  Ehrenfried  and  Mr.  H.  Rickers 

The  search  did  not  uncover  any  data  pertinent  to  this  study. 

Due  to  the  large  number  of  subsystems  within  the  aircraft,  the  Sikorsky  report 
(Reference  55)  elected  to  breakout  only  the  top  13  subsystems  as  determined 
by  the  number  of  failures  Uable  D-1).  Of  the  top  13  subsystems  only  one, 

Radio  Navigation,  and  portions  of  three  others,  Utility,  Electrical  and  Fuel, 
are  of  interest  in  an  analysis  concerning  electronic  components.  From  these 
four  subsystems,  seven  pieces  of  equipment  were  applicable  to  the  analysis 
(see  Table  D-2).  The  complexity  of  this  group  ranges  from  switches  and  relays 
to  radio  transceivers. 

In  order  to  obtain  a  consistent  data  base,  only  equipments  of  roughly  the  same 
relative  complexity  were  considered.  Therefore  the  following  equipments  were 
deleted  from  the  data  base;  Fire  Sensing  Element,  Cargo  Switches,  Pressure 
Switches  and  Engine  Start  Relay. 

The  equipments  remaining  in  the  data  base  are  shown  in  Table  C-3. 


460 


TABLE  D-1  TOTAL  AIRCRAFT  SYSTEM  COMPARISON 


Aircraft  Subsystem  W/0  Absorber 

Failure  Rate 
W/Absorber 

(10-3) 

A  Failure 

1.  Airframe 

223.7 

107.8 

115.9 

2.  Drive 

108.7 

47.6 

61.1 

3.  Utility 

64.1 

13.8 

50.3 

4.  Landing  Gear 

91.5 

44.8 

46.7 

5.  Lights 

119.6 

29.3 

90. J 

6.  Fuel 

56.2 

22.8 

33.4 

7.  Flight  Controls 

58.4 

22.8 

35.6 

8.  Cockpit/Fuselage 

33.1 

9.9 

23.2 

9.  Electrical 

35.6 

12.4 

23.2 

10.  Hydraulic  Power 

37.1 

17.1 

20.0 

11.  Intercommunications 

39.5 

21.2 

18.3 

12.  Radio  Navigation 

65.5 

50.2 

15.3 

13.  Airconditioning/Heating 

27.1 

18.3 

8.8 

4G1 


TABLE  D-2  COMPONENT  FAILURE  RATE 


Component  Name 

Failure  Rate  (10-3) 

W/0  Absorber  W/Absorber 

Vibration  Level  (g's) 
W/0  Absorber  W/Absorber 

1. 

Fire  Sensing  Element 

5.5 

1.3 

1.34 

0.47 

2. 

Fire  Detector  Control 

4.1 

0.6 

1.34 

0.47 

3. 

Cargo  Switches 

3.6 

3.2 

0.61 

0.25 

4. 

Pressure  Switches 

4.7 

1.5 

1.48 

0.60 

5 

Voltage  Regulate' 

1.4 

0.8 

0.52 

0.33 

6. 

Engine  Start  Relay 

2.4 

1.4 

0.36 

0.29 

7. 

LF/ADF  RCVR  (ARN-59) 

6.3 

4.2 

0.75 

0.35 

46? 


Before  the  analysis  could  proceed,  the  failure  rates  for  the  control  group 
(without  absorber)  had  to  be  adjusted  for  the  difference  in  temperature  that 
the  two  groups  experienced.  The  two  groups  were  stationed  in  different  cli¬ 
matic  zones.  The  group  without  the  absorber  was  stationed  in  a  zon*-  where  the 
annual  mean  temperature  was  64.50F,  and  the  group  with  the  absorber  was  sta¬ 
tioned  in  a  zone  where  the  annual  mean  temperature  was  23.80F.  This  difference 
in  annual  mean  temperature  produces  a  difference  in  the  te.mperature  to  which 
the  operating  electronics  were  subjected.  The  temperature  experienced  by  the 
electronics  was  assumed  to  be  the  sum  of  the  outside  ambient  temperature  and 
the  temperature  rise  associated  with  the  electronic's  own  disipation.  The  in¬ 
ternal  temperature  rise  of  the  electronics  was  estimated  to  be  75®F. 

Therefore,  the  control  group  electronics  experienced  an  operating  temperature 
of  139. 5°F  and  the  other  group  of  electronics  was  subjected  tu  an  operating 
temperature  of  98.8°F.  Due  to  the  higher  operating  temperature,  the  ontrol 
group  electronics  will  exhibit  a  higher  failure  rate  than  the  group  of  elec¬ 
tronics  associated  with  the  absorber  equipped  helicopter.  To  coripensete  for 
the  temperature  induced  failure  rate  differences,  the  failure  rates  for  the 
control  group  (without  absorber)  were  adjusted  downward  by  the  use  of  a  multi¬ 
plicative  factor. 

The  factor  was  developed  from  the  Failure  Rate/Temperature  curve  of  Figure  D-1. 
From  the  curve  it  can  be  seen  that  at  37.1'C  (98.8°F)  the  corresponding  failure 
rate  is  39.0  X  10"^  F/Hr.  For  59.7°C  (139.5'^F)  the  failure  rate  is  43.5  X  10“^ 
F/Hr.  Therefore,  the  failure  rates  at  139.5'^F  reduced  by  the  factor  .897  = 

39.0  X  10'®/43,5  X  10“^  are  equivalent  to  the  failure  rates  at  98.8'^F.  The 
important  assumption  is  that  the  Failure  Rate/Temperature  Curve  developed  from 
the  EEC  103  Fuel  Control  can  be  used  as  a  tradeoff  tool  for  the  helicopter 
equipment  with  different  form,  function  and  environment. 

The  relevant  data  is  displayed  in  Table  0*3. 

In  order  to  make  the  JFC90  data  consistent  with  the  helicopter  data  the  failure 
rates  were  adjusted  downward  to  take  into  account  the  JFCQO's  higher  operating 
temperature,  A  multiplicative  factor  was  used  to  accomplish  the  adjustment. 

The  factor  was  developed  from  the  Failure  Rate/Temperature  Curve  of  Figure  D-i. 
From  the  curve  it  can  be  seen  that  at  37.1°C  (98.8°F)  the  corresponding  fail¬ 
ure  rate  is  39.0  X  10“°  F/Hi'.  For  125°C  (257°F)  the  failure  rate  is  210  X  10“^ 
F/Hr.  Therefore,  the  failure  rates  at  IZS^C  reduced  by  the  factor  0.186  = 

39.0  X  10“^/?10  X  10"®  are  equivalent  to  failure  rates  at  37.1°C. 

The  relevant  data  is  displayed  in  Table  0-2. 

The  data  drawn  from  "RADC  Reliability  Notebook  -  Volume  H"  (66)  was  derived 
from  Table  1-3,  Nominal  Ranges  of  Environmental  Stress  Characteristics,  and 
Table  XII-7,  Environmental  Adjustment  Factor  for  microcircuits.  From  Table 
1-3  the  following  three  pairs  of  environments  were  chosen  for  analysis:  Ground 
Fixed  (6F)  and  Ground  Portable  (GP),  Airborne  Inhabited  and  Airborne  Uninhab¬ 
ited  (AU),  Satellite  Launch  (SL)  and  Missile  (H).  The  pairs  were  chosen  so 


that,  the  environmental  stress  characteristicr  olhir  than  vibration  were  as 
similar  as  possible  within  pairs.  The  vibtalion  ratio  for  each  pair  was  ob¬ 
tained  by  forming  the  ratio  of  the  maximum  vibraxicn  level  for  each  environ- 
I’leni  within  the  pair.  The  failure  rate  ratio  was  ebtaineo  by  fonning  the  rati 
of  the  Environmental  Adjustment  Factor  for  each  environment  within  the  pair, 
Tt;is  information  is  orrsented  in  Table  . 


In  Figure  D-2  a  "Best  Fit"  curve  was  drawn  through  the  points  obtained  from 
the  helicopter  data  and  the  JFC90  data,  A  separate  curve  was  drawn  through 
th.e  data  points  derived  fron  the  RADC  reiiort  (Reference  66).  Because  of 
ttiv  '..uarsci’uss  an..,  scarcity  of  data  pom's,  the  two  lines  do  not  coincide  but 
serve  as  upper  ar'd  lower  l:0'j>'.ds  T-or  a  range  of  possible  values.  Also,  for 
vibraticn  ratios  greater-  than  2.25,  suiricient  data  docs  net  exist  to  support 
a  smooth  extension  cf  the  curves.  Ihercforo,  a  maximum  upper  bOuCd  of  2.3  for 


tiro  I  a  1 1  ..re  Rati; 


r,  a  .  1  ( 


was 


lb  1  i  Si'iC'd  1  Or' 


IS  oreater  than  2.25. 


The  curve  in  I'icjurc  ;‘-2  provides  t!ic  l■■:ca'■lS  for  iJeniifyirg  tlie  Failure  Rate/ 
Vibration  level  tradeoff  in  terms  of  relative  .ibration  levels.  The  curve  is 
dependent  upon  the  assumption  thai  the  vibi'aiion  levels  uf  interest  do  not  ex¬ 
ceed  equipment  design  capabilities. 


The  Curve  in  Pigui-e  L.-2  can  be  appliec!  to  other"  systems  ic  determine  the  im¬ 
pact  of  vibration  uiion  failure  rates.  For  example  consider  a  system  with  a 
failure  rate  of  IOC  .f  1C"2  F/Hr  and  a  vibration  level  of  10  G's,  If  the  system 
was  redesigned  such  that  tlie  vibt'ation  level  was  r-educeri  to  5  G's,  what  would 
be  the  corresponcing  failure  ^ate?  From  Figure  0-2  it  can  be  seen  that  for  a 
vibration  ratio  of  2,  the  failure  rate  ratio  is  1.67  using  tiie  upper  curve. 
Therefore,  the  new  failure  rate,  at  the  reduced  vibration  level  is  59.88  X  IG‘3 
F/Hr  =  100  X  10-3/1.67. 


If  both  the  operoting  temperature  and  the  vibration  level  are  altered  because 
of  a  design  change,  then  the  net  effect  of  the  changes  upon  the  failure  rate 
can  be  calculated  by  independently  applying  the  temperature/tai lure  rate  aiid 
vibration/failure  rate  techniques.  For  example  consider  a  system  with  a  fail¬ 
ure  rate  of  100  X  10’^  F/Hr,  a  vibration  level  of  10  G's,  and  an  operating 
temperature  of  70OC.  If  the  system  was  redesigned  such  that  the  vibration 
level  was  reduced  tn  4  G's  and  the  temperature  increased  to  90OC,  what  would 
be  the  corresponding  failure?  From  Figure  [i-1  it  can  be  seen  that  at  70^0  the 
failure  rate  is  43.5  X  10*^  F/Hr  and  at  90°C  the  failure  rate  is  70  X  10"^  F/Hr 
for  a  ratio  of  1.44,  Therefore,  the  or''ginal  failure  rate  is  increased  by 
44  X  10"^  F/Hr  due  to  temperature  effects.  From  Figure  0-3  it  can  be  seen 
that  For  a  vibration  ratio  of  2.5,  the  failure  rate  ratio  is  2.3.  Therefore, 
the  original  failure  rate  is  decreased  by  56.52  X  10"^  F/Hr  due  to  vibration 
effects.  For  the  combined  Temperaturc/Vibration  effects,  the  failure  rate  is 
reduced  by  a  net  12.52  X  10"^  F/Hr.  Thei'efore,  the  new  -failure  rate  is  87.48 
X  10-6  F/Hr. 


TABLE  lj-4  RADC  V 


Envi ronment 
Ground  Fixed 
Ground  Portable 


Airborne  Inhabited 
Airborne  Uninhabited 


Satellite  Launch 
Missile 


Vibration 

5 

15 

30 

60 

60 

100 


RATE  RELATIONSHIP 


Environment  Vibration 
Factor _ Ratio 


2 

5 


3.00 


5 

7 


2.00 


8 

10 


1.67 


Failure  Rate 
Ratio 


2.5 


1.40 


1.25 


406 


0  HELICOPTER 
O  JF"C-90 

A  DERIVED  FROM  RADC 


This  appendix  is  included  to  define  the  specific  electrical  tests,  conditions 
and  end  point  limits  used  by  ML'AC-St.  Louis  in  ttie  performance  of  this  progra.ii. 
Table  C-1  is  a  list  of  the  parametric  tests,  conditions  and  limits  and  Table 
l:-2  IS  the  truth  table  used  for  functional  testing.  The  tests  listed  in  these 
tables  are  identical  to  the  tests  used  by  the  manufacturer  in  order  to  estab¬ 
lish  correlation  between  the  MDAC-St.  Louis  and  manufacturer  rest  systems. 

As  a  result,  the  tests  differ  slightly  from  those  contained  in  the  Hamilton 
Standard  Statement  of  Work.  These  differences  are: 


.1) 


Low  Level  Input  Voltage  (Vjl)  and  High  Level  Input  Voltage  (ViH;  were 
not  measured  directly  and  do  not  appear  on  the  Table  D-1  parametric 
electrical  test  list,  Vjl  and  Vih  were  inherently  verified  during 
the  noise  margin  functional  tests.  Two  fjoise  Margin  (N.M.)  tests  at'e 
performed  using  the  functional  lest  pattern.  The  first  H.M,  test  was 
pertorned  v.'itti  v|ri  -  15.0  V,  iiiiiut  levels  Ot  11.0  V  ar.c  4.0:  V  tor  high 
and  low  levels,  ai'd  outimi  compare  limits  of  13.5  V  and  1.5  V  for  hich 
and  lo-.-.  levels.  Tiic  seccr-i  i..'-!.  test  was  performed  with  Vop  =  5.C  V, 
input  levels  of  3.5  V  a*' 1.5  V  and  Gut|r.;t  corgtar-e  limits  of  4.5  V  and 
0.5  V.  Ttie  f,.ii.  ..est  iny,  Ihereture,  inlierontly  venified  that  V'Il  and 
VlH  are  within  the  specified  limits. 


b)  Low  Level  Output  Voltage  (VQL)  3nd  High  Level  Output  Voltage  (Vqh) 
were  only  measured  with  Voo  =  15.0V,  the  worst  case  condition. 

c)  The  conditions  ot  the  High  Level  Output  Current  (Iqh)  test  at  VpD  = 
5.0V  were  r'ldiried.  The  Vqijt  voltage  was  changed  from  4.6  volts  to 
2.5  volts  anu  the  end  point  limii  from  -0.51  niA  to  -2,4  mA. 


d)  negative  and  positive  Output  Saturation  currents  were  included  in  the 
electrical  parametric  test  list. 


e)  The  functional  test  sequence  is  not  defined  in  the  Statement  of  Work 
and  the  manufacturer's  test  sequence  was  followed.  This  test  seq-ience 
consists  of  a  clear  cycle,  load  seven,  count  around  to  six,  disable 
via  PE,  disable  via  TE,  load  fifteen  and  clear.  The  sequence  is  per¬ 
formed  at  VOD  =  3.0V  and  Vqp  =  18. OV  with  a  0.2  MHz  clock  frequency. 


TABLE  E-1  PARAMETRIC  TEST  CONDITIONS 


TABLE  E-2  FUNCTIONAL  TEST  TRUTH  TABLE 


DURING  EACH  STEP 


APPENDIX  F 

CONSTRUCTION  EVALUATION  FOR  ACCELERATED  LIFE  TESTS 


475 


An  analysis  vjas  rr;ade  of  the  physical  characteristics  of  a  l6-pin  certlip  to 
deternine  if  there  existed  any  physical  construction  features  that  might  pre¬ 
clude  high  temperature  accelerated  life  tests  at  the  temperatures  specified 
(150°C,  175°C,  and  200°C).  In  this  analysis  one  of  the  devices  was  delidded 
and  a  microscopic  inspection  was  made  with  attention  given  primarily  to  deter¬ 
mining  the  materials  used  in  constructing  the  device.  T"ble  f-t  contains  a 
summary  of  the  results  of  this  analysis,  fio  device  features  were  found  thaf 
would  limit  high  temperature  operation  at  elevated  temperatures  below  25C°b. 


TABLE  F-1 


PACKAGE  TYPE; 

L_ 

PACKAGE  MATERIAL: 

glass  I  VAT  ion: 

DIE  SCRIBE  METHOD; 

DIE  SIZE; 

DIE  ATTACHMENT: 

HIRE  MATERIAL: 

WIRt  BONDING  METHOD: 

Intraconnect  material; 

LEAD  MATERIALS: 

CHARACTERIZATIUK  SUMMARY 


16  LtAD  OUAl-IN  line  CERDIP 

TO?:  Black  ceramic 

BOTTOM:  BLACK  CERAMIC 

LIO  SEAL  i  LEAD  INSULATOR:  GREY  GLASS  FRIT 
SiO^ 

MECHANICAL  SCRIBE 

es  MIL  X  57  MIL 

COLD-SILICON  EU1ECT1C 

AlUMlNUMi  1  MIL  DIAMETER 

LEAD  FRAME:  ULTRASONIC  BOND 
DIE  BOND  PAD:  ULTRASONIC  BOND 

ALUMIHUH 

E.'.T£RNAL:  KOVAR  TYPE  WITH  TIN  PLATING 


LEAD  FRAME:  KOVAR  IYPl  WITH  ALUMINUM  PLATING 


APPENDIX  6 

COST  BENEFITS  OE  SELF-TRIM  CONTROL  MODES 


479 


G.l  Sumtr.ary 


For  the  Reliability  Advancement  Study  for  Electronic  Engine  Controllers,  a 
life  cycle  cost  analysis  was  made  of  the  controllers'  self-trim  capability 
(Task  II  of  Hamilton  Standard  Purchase  Order  BE  067639).  The  application  used 
for  the  study  was  an  advanced  variable-cycle  engine  mounted  in  a  two-engine 
tactical  fighter  aircraft  combat  fleet  of  540  ope>ation  aircraft  using  1,728 
engines  over  a  15-year  life.  The  self-trim  feature  provides  a  life  cycle  cost 
savings  of  $472.7  million. 

The  primary  savings  (85?^)  resulting  from  the  self-trim  feature  were  in  the  area 
of  reduced  spare  parts  costs  due  to  the  elimination  of  trim  "hot"  time  and  an 
increase  in  the  ratio  of  engine  flight  hours  to  operating  hours.  Fuel,  labor, 
and  support  equipment  savings  related  to  trims  were  relatively  small. 

The  total  life  cycle  cost  savings  attributed  to  the  self-trim  control  modes 
were  added  to  the  total  life  cycle  cost  analysis  conducted  ’or  this  pro- 
g  r  am . 

U.2  introduction 

A  life  cycle  cost  (LCC)  study  of  the  self-trim  benefits  of  an  advanced  engine 
electronic  controller  was  performed  as  part  of  Task  II  of  the  overall  prcytam, 
which  is  to  achieve  high  reliability  for  engine-mounted  electronic  controls. 

For  the  purpose  of  this  study,  it  was  assumed  that  the  application  is  an 
advanced  variable  cycle  engine  equipped  wit'  an  electronic  control  having  seif- 
trim  capabi 1 i ty. 

The  objective  of  this  analysis  was  to  evaluate  the  operating  and  support  cost 
savings  associated  with  the  self-trim  feature.  The  term  "self-trim"  means 
that  once  an  engine  is  put  into  service  no  manual  action  is  required  to  main¬ 
tain  engine  thrust.  A  closed  loop  control  approach  is  implemented  to  eliminate 
tfie  need  to  trim  the  engine  to  maintain  desired  thrust  and  engine  airflow.  The 
control  mode  utilizes  engine  parameters  for  automatic  regulation  of  desired 
thrust  setting  and  engine  airflow. 

G,3  Results 

The  following  is  a  summary  of  the  results  of  the  self-trim  control  modes  study: 


^  LCC  ( S  Millions) 

RDT&E  Cost 

Mo  Change 

Acquisition  Cost 

No  Change 

Operation  and  Support  Cost 

Sparc  parts  and  associated  labor 

-401 .8 

Su()port  equipment 

-  8.9 

Trim  fuel 

-  52.5 

Trim  labor 

-  9.5 

total 

-472./ 

480 


The  cost  driver  m  this  analysis,  as  shown  by  the  breakdown  above,  was  the 
spare  parts  ano  associated  labor  costs  with  a  predicted  savings  of  S40I.S  nnl- 
lion  (about  6b"/o  of  the  total  savings). 


G.4  Study  Groundrules 


The  force  structure  and  utilization  groundrules  for  this  stuoy  are  as  follows: 

•  729  total  aircraft 

•  1728  total  engines  (including  27C  spares) 

®  640  uperational  aircraft  (6  bases  and  1  training  iiase) 

•  Each  operational  aircraft  flies  7^6  hr/dionth  for  16  years 
Economc  assumptions  are  as  follows: 

•  1973  dollars 

•  case  l.evel  Labor  fate;  $16.25  per  niaintenence  nian-hour  (mr.h'i 

•  repot  Level  Labor  kale:  $26.00  per  — ;h 

•  Fuel  Cost;  $0.46  oer  gallon 


G.5  Discussion 

G . 5 . 1  Development  and  Acquisition  Costs 

This  study  did  not  consider  any  RDT&L  or  acquisition  costs  associated  with  the 
electronic  engine  control  system.  Small  differences  in  development  and  pro¬ 
duction  costs  between  an  advanced  controller  with  and  without  self-trim  capa¬ 
bilities  were  considered  insignificant  to  this  study. 

G . 5 . 2  Self-Trim  Savings 

Elimination  of  manual  trirri  provides  a  hot  section  life  improvement  in  two  ways 
A  conventional  engine  mode  which  controls  to  engine  speed  requires  occasional 
trim  action  to  maintain  thrust  above  an  acceptable  minimum  level.  This  trims 
the  engine  to  a  nominal  thrust  condition  and  then  allows  it  to  deteriorate 
back  to  the  minimum  level  where  it  is  then  retrimmed.  The  self-trim  modes  con 
tinually  maintain  the  desired  engine  thrust  at  the  desired  level  and  eliminate 
any  uptrimming,  thus  saving  hot  section  life.  The  second  benefit  in  hot  sec¬ 
tion  life  comes  from  the  elimination  of  engine  hot  time  (intermediate  power 
and  above)  required  tor  nround  trim  runs.  Tliis  increases  the  life  of  hot  sec¬ 
tion  parts  and  increases  the  ratio  of  engine  flight  hours  to  total  operating 
hour's . 


(j . 5 . 3  Spare  Parts  and  Asodated  Labor 


A  major  portion  of  the  self-trim  LCC  savings  is  from  reduced  spare  parts  and 
labor  rogjirements  caused  by:  (1)  hot  section  life  improvements  and  (2)  in¬ 
creased  ratio  of  engine  flight  hours  to  total  operating  hours. 

The  electronic  control  self-trimming  capability  would  eliminate  all  trim  time, 
which  represents  75%  of  the  total  ground  hot  time,  the  othe  25%  being  asso¬ 
ciated  with  diagnostic  runs.  This  descrease  in  engine  hot  time  (intermediate 
power  and  above)  resulted  in  a  25%  increase  in  the  lives  of  the  erosion  and 
creep-limited  parts.  Hot  section  life  improvement  accounted  for  73%,  or  about 
S66  per  engine  flight  hour,  of  spare  parte  and  labor  savings.  The  increase  in 
the  lives  of  the  erosion  and  creep-limited  parts  reduces  the  number  of  spares 
used  over  the  operating  life  of  the  engine,  saving  S321.2  million  in  spare 
parts. 

An  increase  in  the  ratio  of  engine  flight  hours  to  total  operating  hours  means 
that  for  a  fixed  number  of  flight  hours,  the  total  number  of  operating  hours 
for  each  engine  decreases.  The  savings  attributed  to  the  reduction  in  total 
operating  hours  was  determined  based  on  overall  engine  maintenance  cost  per 
flight  hour.  With  the  decrease  in  total  operating  time,  the  total  maintenance 
cost  of  the  "cold"  engine  parts  is  decreased,  producing  an  additional  saving 
of  $80.6  million. 

G . 5 . 4  Support  Equipment 

Support  equipment  savings  were  based  on  the  assumption  that  diagnostic  capa¬ 
bility  at  the  organizational  and  intermediate  levels  would  be  equivalent  to 
that  of  the  current  FlOO  engine.  All  trim-related  support  equipment  at  the 
organizational  and  intermediate  maintenance  levels  was  eliminated  and  consid¬ 
ered  as  savings,  including  any  nonrecurring  costs.  Since  trim  runs  presently 
account  for  a  major  portion  of  ground  operating  time,  it  was  assumed  that  one 
portable  test  stand  could  be  eliminated  at  each  base  as  a  result  of  the  elim¬ 
ination  of  trim  runs. 

At  the  Depot  maintenance  level,  it  was  assumed  that  the  work  load  would  remain 
constant,  with  no  net  cost  difference  in  re^^uired  support  equipment. 

A  summary  of  the  support  equipment  savings  is  shown  below: 

Eliminated  Support  Equipment  A  LCC  ($  t^'ii  1  lions) 

Organizational  Level  -6.9 

•  Mach  number  simulators  (two  per  wing) 

•  Remote  trimmers  (two  per  wing) 

•  SCS  test  set  and  engine  trim  set  (four  per  wing) 

Intermediate  Level  -2.0 

•  Mach  number  simulator  (one  per  wing) 

•  Remote  trimmers  (two  per  wing) 

•  Test  stand  (one  per  wing) 


Eliminated  Sup 


uipmen 


A  LCC  (S  Ki 1  lions 


)port  Eg 


Depot  Level 

•  No  change  _ 0 

TOTAL  SUPPORT  EQUIPMENT  SAVINGS  -6.9 

G.5.6  Trim  Fuel  and  Labor 

The  average  fuel  consumed  during  a  trim  run  is  2400  gallons,  based  on  F-15 
trim  data  from  Langley  AFB  scaled  to  reflect  the  variable  cycle  engine  complex 
ity.  At  engine  maturity,  the  mean  time  between  trims  is  projected  to  be  100 
engine  flight  hours.  With  fuel  costs  at  SO. AS  per  gallon,  the  elimination 
of  all  trim  runs  would  save  $52.5  million  over  the  4.86  million  total  engine 
flight  hours  of  the  fleet.  A  labor  saving  of  $9.48  million  would  result  from 
the  elimination  of  trim  runs  based  on  the  average  12  man-hours  required  per 
trim,  the  labor  rate  of  $16.25  per  mmh,  and  the  projected  number  of  trims  that 
would  have  been  required. 


Depot  Level 

•  No  change  _ 0 

TOTAL  SUPPORT  EQUIPMENT  SAVINGS  -8.9 

0.5.5  Trim  Fuel  and  Labor 

The  average  fuel  consumed  during  a  trim  run  is  2400  gallons,  based  on  F-15 
trim  data  from  Langley  APB  scaled  to  reflect  the  variable  cy^le  engine  complex¬ 
ity.  At  engine  maturity,  the  mean  time  between  trims  is  projected  to  be  100 
engine  flight  hours.  With  fuel  costs  at  $0.45  per  gallon,  the  elimination 
of  all  trim  runs  would  save  S52.5  million  over  the  4.86  million  total  engine 
flight  hours  of  the  fleet.  A  labor  saving  of  $9.48  million  would  result  from 
the  elimination  of  trim  runs  basea  on  the  average  12  man-hours  required  per 
trim,  the  labor  rate  of  $16.25  per  mmh,  and  the  projected  number  of  trims  that 
would  have  been  required. 


i 

I 

I 


i 

f 


RLFERlNClS 


Wuli,  "Reliable  Hardware/Software  Architecture."  IEEE  Tran;,  on 
Software  Engineering,  June  197S. 

W . S .  Feller,  An  Introduction  to  Probability  Theory  and  Its  Application. 
Volume  I,  Wiley,  New  York,  1957. 

w.C.  Bouricius,  W.C.  Carter,  and  P.R,  Schneider,  "Reliability  Modeling 
Techniques  for  Self-Repairing  Computer  Systems."  P  roc .  of  the  ?4th 
National  Conference  of  ACM,  196'.'. 

T.F.  Westermeier,  "Redundancy  Management  of  Digital  Fly-By-Wire  Systems. 
Rroc.  Joint  Automatic  Control  Conference  (IEEE),  Volume  1,  1977. 

C.E.  Shannon  ana  E.F.  Moore,  "Reliable  Cii'cuits  Using  Less  Reliable 
Relays."  J.  Franklin  Inst..  Vol.  262.  pD  191-203  and  281-297,  Sept/Oct 
1956.  ■ 

J.G.  Tyron,  "Quadded  Logic."  Recundancy  Techniques  for  Computing 
Systems ,  Spartan  Books,  1962. 

J.  Von  Neumann,  "Probabilistic  Logics  and  Ttie  Synthesis  of  Reliable 
Organisms  FrOiTi  Jrit  el  i au le  Cuiupouen Ls . "  Aulum.alc  Studies,  «nnals  of 
Mathematics,  Mo,  34,  pp  45-98,  Princeton,  1956. 

I.  BazovSKy,  Reliability  Theory  and  Practice.  Prentice-Hall  Inc,,  MJ, 
1961. 


M.L,  Shoorjn,  Probabilistic  Reliability:  mn  Engineer  inn  Approach, 
pp  136-14G,  McGraw-Hill,  lij. 

Heckelman,  Knight,  and  Straub,  "A  Self  Diagnosing  Fault  Tolerant  Micro¬ 
processor,"  pp  124  and  125,  GCITAC  Digest  of  Papers,  General  Electric, 
197S. 


J.  Frokop  anJ  D.W.  i  1  1  i  a  Vi  ,  Chiu  Cart  iers  -s  f  ‘vaans  I  oi  li  i  gii-irns  i  ty 
Packaui^.  Te>:3s  ! nsi  rumc-u t  s ,  iu.,.,  ucfTTa ,  ~1  Sni i ,  T 977  . 

M.C.  Burch,  and  F.M.  Ha>-nis,  rora-'ic  Chip  La-  rin' 

Pa''-  a-  ina.  i.  irc  tronics  ;  ivision,  DM  Compan,. 


:nd  ar 


l;.i;.  Gurcan,  RCA  Ad.'anceu  iecf.noluG/  Laboratories,  NJ, 
aginn  Dsiriq  tompou'i-i  HybirJs  i.’ i  Ih  LSI."  Llecir.nic  rack 
ductiun ,  i.-ovembor  19?'3. 


irborne  Fack- 
ina  and  Pru- 


4c.  1 


14.  H.W.  Markstein,  "Chip  Carrier  Update."  Electronic  Packaqinq  and  Pro- 
duction.  April  1979. 

15.  D,  Aney,  "Looking  Ahead  At  High  Density  Packaqinq."  Electro.  '78, 
Electronics  Show  and  Convection,  sponsored  by  IEEE  and  ERA,  Ray  23-25, 
1978. 

16.  R.j.  Clark,  General  Electric  Co.,  "Microelectronic  Packaging  Trends: 

An  lEPS  Review."  Electronic  Packaqinq  and  Production.  January  1979. 

17.  Captain  R.E.  Settle,  Jr.,  Air  Force  Avionics  Laboratory,  "A  New  Family 
Of  Microelectronic  Packages  For  Avionics."  Solid-State  Technology, 

June  1978.  - 

18.  Dr.  J.S,  Sallo,  Fortin  Laminating  Corp.,  "Selecting  Laminates  For 
Multilayer  and  Two-Sided  Rigid  PCB's.  Circuits  Manufacturing. 

19.  R.  Castonguay,  MICA  Corp.,  "Resin  Systems  For  High-Performance  Lamin¬ 
ates."  Electronic  Packaqinq  and  Production.  July  1979, 

20.  A.ion.,  "Guidelines  For  Designing  Multilayer  Ceramic  Substrates,"  Elec¬ 
tronic  Products  Division,  3M  Company. 

21.  R.L,  Morey  and  P.J.  Pijoan,  "Thick  Film  Multilayer  Boards:  Specialized 
Problem  Areas."  C.S.  Draper  Laboratory,  Inc.,  ISHM,  1978. 

22.  D_.P.  Wicker  and  W.B.  Hatfield,  "Porcelain  Steel  Technology;  A  Bona- 
fide  Alternative?"  The  Singer  Company,  Corporate  R&D  Laboratory,  ISHM, 
1978. 

23.  F.A,  Fisher  and  J.A,  Plumer,  General  Electric  Company,  "Lightning 
Protection  of  Aircraft."  NASA  Reference  Publication  1008, ' Prepared  for 
Aerospace  Safety  Research  and  Data  Institute,  NASA  Lewis  Research  Cen¬ 
ter,  October  1977. 

24.  Aron.,  "Electromagnetic  Compatibility."  Air  Force  Systems  Command 
Design  Handbook  DHl-4,  Third  Edition,  January  5,  1975. 

25.  J.D.  Robb,  "Lightning  Protection  Approaches  For  Gas  Turbine  Controls." 
AMSE  Publication  No.  71-GT-29,  Applied  Research,  Lightning  and  Trans¬ 
ients  Research  Institute,  St.  Paul,  Minn.,  April  1971. 

26.  Anon.,  "Space  Shuttle  Lightning  Protection  Criteria  Document."  NASA 
Publication  JSC-07636,  Shuttle  Lightning  Protection  Committee,  Lyndon 
B.  Johnson  Space  Center,  Houston,  Texas,  September  11,  1973. 


4C6 


'1 


-*1 


< 


27.  J.A.  Plumer,  General  Electric  Company,  "Analysis  and  Calculation  of 
Lightning-Induced  Voltages  in  Aircraft  Electrical  Circuits."  NASA  Con¬ 
tractor  Report  CR-2349,  Prepared  for  NASA  Lewis  Research  Center, 

January  1974. 

28.  Anon.,  "Final  Draft,  Aerospace  Recommended  Practice,  Lightning  Effects 
Tests  on  Aerospace  Vehicles  and  Hardware."  SAE  Publication,  SAE  Com- 
mittee  AE4  on  Electromagnetic  Compatibility,  Special  Task  F,  May  1,  1974. 

29.  Anon.,  "Lightning  and  Static  Electricity  Conference,  Part  II:  Confer¬ 
ence  Paper."  Air  Force  Avionics  Lab  Technical  Report  AFAL-TR-68-290, 
December  3-5,  1968. 

30.  Anon.,  "Protection  of  Aircraft  Fuel  Systems  Against  Lightning."  FAA 
Advisory  Circular  AC  20-53,  Washington,  D.C.,  October  1967. 

31.  Anon.,  "Lightning  and  Static  Electricity  Conference."  Air  Force  Avion¬ 
ics  Lab  Technical  Report  AFAL-TR-72-325,  December  12-15,  1972. 

32.  Anon.,  "Bonding,  Electrical,  and  Lightning  Protection  For  Aerospace 
Systems."  MIL-B-508713 ,  October  15,  1964. 

33.  L.L.  Oh,  "Measured  and  Calculated  Spectral  Amplitude  of  Lightning 
Sferics."  Commercial  Airline  Group,  Boeing,  IEEE  Trans,  on  EMC,  Novem¬ 
ber  1969. 

34.  R.A.  Week,  "Thin-Film  Shielding  for  Microcircuit  Applications  and  a 
Useful  Laboratory  Tool  for  Plane-Wave  Shielding  Evaluation."  Electronic 
Components  Lab,  USAECOM,  Fort  Monmouth,  N.J.,  IEEE  Trans,  on  EMC,  F;arch 
1968. 

35.  P.J.  LeBlanc  and  D.L.  Reinhard,  "EMI  Shielding  of  Plastic  Housings," 
General  Electric  Co.,  Pittsfield,  Mass.,  Electronic  Packaging  and  Pro¬ 
duction,  February  19/5. 

36.  Anon.,  "Control  Mode  Studies  For  Advanced  Variable  Geometry  Turbine 
Engines."  ArAPL-TR-75-7,  March  1974. 

37.  Anon.,  "Aircraft  Fuel  Heat  Sink  Utilizations."  AFAPL-TR-73-51 . 

38.  Anon.,  "FADEC,  Full  Author! ty  Ui gi tal  Electronic  Control."  NAPTC  Con¬ 
tract  N00019-76-C-0422. 

39.  N.  Sissenwine,  "Extremes  of  Hydrometers  at  Altitude  For  MIL-STD-210B . " 
AFCRL-72-0369,  AFSC  No,  242,  1972. 


:  4 

■  I 

-I 

£ 

i 

I 

.! 


437 


40.  B.  I  ibovic2  ar.d  r.L.  Ostre'in,  "A  Survey  of  EnvironmenUl  Conciilions 
Incident  to  The  Transportetion  of  Materials",  Dept,  of  Transportation 
Bulletin,  PB  204  442,  Final  Report,  Phase  I  General  American  Transpor¬ 
tation  Corp.,  October  1971. 

41.  Anon.,  "Long-Life  Assurance  Study  For  Manned  Spacecraft  Long-Life  Hard¬ 
ware."  Summary  of  Long-Life  Assurance  Guidelines,  Vol.  I,  Martin- 

Mar  ietta"Tor^otirri'orr7sepTemEeFT972^ 

42.  0.  Edgerton,  Jr.  and  I.  Quart,  "Hughes  Aircraft  Company  Stress  Screen¬ 
ing  Studies."  Proceedings- Insti  tute  of  Environmental  Sciences,  1979. 

43.  Bathke,  General  Dynamics/Pomona,  "Standardizing  Environmental 
Testing  in  a  Mul ti-Programi  Orientation."  Proceedings-Insti tute  of 
Environmental  Sciences,  1979. 

44.  J.D.  Branum,  "Selection  and  Evaluation  of  Environmental  Screening  Tests 
For  Trident  I  (C4)  Electronics  Black  Boxes."  Lockheed  Missiles  and 
Space  Company. 

45.  u.S.  Peck  and  C.H.  Zierdt,  Jr.,  "The  Reliability  of  Semiconductor 
Devices  in  The  Bell  System."  Proceedings  of  The  IEEE,  Vol.  62,  Do.  2, 
pp  185-211,  February  1974. 

46.  D.S.  Peck,  "New  Concepts  About  Integrated  Circuit  Reliability."  Bell 
Telephone  Laboratories,  IEEE  Transactions  Electronic  Devices  (USA), 

Vol.  ED-26,  No.  1,  pp.  38-43,  January  1979. 

47.  Anon.,  "Long-Life  Assurance  Study  for  Manned  Spacecraft  Long-Life  Hard¬ 
ware."  Special  Long-Life  Assurance  Studies,  Vol.  4,  Martin-Marietta 
Corporation,  September  1972. 

43.  J.  Cardinal,  "Establish  Manufacturing  Processes  for  Polyimide/Glass 
Printed  Circuit  Boards."  Hamilton  Standard  Division,  Windsor  Locks, 
Conn.,  March  23,  197G. 

49.  Anor . ,  "Digital  Evaluation  and  Generic  Eailure  Analysis  Data."  RADC 
docuMienl  no.  MDi<-10,  ITI  P.csoarch  institute,  January  1973. 

50.  ,;.l.  Duane,  "Learning  Curve  Approach  to  Reliability  Monitoring",  ICLL 
/^erespace,  2;  pp.  563-566,  186d, 

L.ii.  Crow,  "liel  idl-'i  1  i  ly  Analysis  fur  Complex  Repairable  Systems", 

AMSAA,  TRlJo,  1974. 


51. 


-< 


52.  0.  Ke':iptl'or'ne  jncl  L.  iolk,  "ProtiaL  i  1  i  iy  Slatislics  and  data  Analysis", 
Iowa  State  Umversity  Press,  1971. 

53.  M.  [nule  and  L.J.  Bain,  "Prediction  Intervals  for  Weibuil  Process", 

T echnometrics ,  20:  pp  167-169,  1973. 

54.  W.M,  Bassiii,  "Increasing  Hazard  Functions  and  Overhaul  Policy",  Annual 
Reliability  Symposium,  pp  173-173,  1969. 

55.  L.H.  Crow,  "On  Tracking  Reliability  Growth",  Reliability  and  Mairitain- 
ability  Symposium,  pp  438-443,  1975. 

56.  L.b.  Cl  ov. ,  ''Confidence  Interval  Procedures  For  Reliability  G*'owth 
Analysis",  AMSAA,  TR197,  Ar-A044788,  1977. 

57.  il.M.  I  inkolstein,  "Confidence  Bounds  Gn  The  Parametv  s  of  Tfio  WeiLull 
Process",  Technometr  ics .  18:  pp  1  1  5-117,  1976. 

53.  !  ,  and  S.K.  l.ce,  "So;;'e  Resuifs  on  in't-rence  for  the  Weibull  Pro¬ 

cess",  Technoinetrics,  20:  pp  41-45,  1978. 

59.  3.  Posner,  "Systems  .‘•.nalysis-Monl  inear  Estimating  1  ecliniques" ,  [relia¬ 
bility  and  Quality  Control  Symposium,  pp  203-207,  1961. 

60.  Anon,,  'Logistics  Support  Cost  Mudel",  U.S.  Air  ! orcc  AFALD,  Wrighl- 
Raiierson  Air  1  orce  Base,  Ohio,  August  1976. 

61.  G.( .  Gulh,  "Development  of  Nonelectric  Pat  t  Cyclic  Failure  Rates", 
Martin-Marietta  Corp.,  (RADC-TR-77-417) ,  December  1977. 

62.  l)onald  F,  Cottrell  and  Tho;::as  E.  Kirejezyk,  "Crimp  Connection  Relia¬ 
bility",  Martin-Marrietta  Corp. ,  (RAi)C-TR-78-l  5) ,  January  1978. 

63.  Walter  8.  Hatfield  and  Daniel  P.  Wicker,  Ihe  Sin.ger  Co'npany,  Corporate 
P.&D  Laboratory,  "A  Microelectronic  Packaging  Technology  For  Consumer 
Product  Applications",  presented  at  the  Fleclronic  Component  Conference, 
Apr  i  1 ,  1978 . 

64.  The  trie  Ceramic  Arts  Company,  "Porcelain  Enamel  Substrates  i'or  Thick 
Film  Hybrids  and  P.C.  Boards",  Erie,  PA. 

65.  Sikorsky  Aircraft  Division,  "Vibration  Effects  Uri  Helicopter  Reliability 
and  Maintainability."  Prepared  for  Euslis  Directorate,  d.S.  Army  Air 
Mobility  Research  and  Development  Laboratory,  Fort  tusLis,  VA,  (contract 
#  DAAJ02-71-C-0037),  April,  1973. 

6G.  Anon.,  "RADC  Reliability  Notebook",  Volume  II,  Icchnical  l-cpcrt  flo, 
kAlJC-Tk-67-108,  Sefitember,  1967, 


439/490 


*■  U.S.fiovornroent  f’rinling  OlfIc«-  1901  •  757  00fc/409 


